Share
## https://sploitus.com/exploit?id=AD4D2718-3849-56E8-977A-EC52FD0E1AD0
# CVE-2026-31431 โ€” Live Code Corruption via Page Cache

A novel exploitation technique for CVE-2026-31431 ("Copy Fail") that corrupts **executable code** of running processes through the Linux kernel's page cache, achieving root privilege escalation.

## What's Different

All published exploits for this CVE corrupt **data files** โ€” modifying `/etc/passwd` to change root's UID, or patching setuid binaries on disk. This exploit does something fundamentally different: it corrupts **live executable code** in memory through the kernel's page cache mechanism.

| | Published exploits | This exploit |
|---|---|---|
| **Target** | Data files (`/etc/passwd`, `/usr/bin/su`) | Executable code (libc `.text` section) |
| **Mechanism** | File content parsed by programs | Code pages directly executed by CPU |
| **Scope** | Single file | ALL processes mapping libc |
| **Disk change** | Yes (file content modified) | No (only page cache in memory) |
| **Detection** | File integrity monitoring | Invisible to filesystem checks |

## How It Works

### The Page Cache Insight

When Linux maps a shared library with `MAP_PRIVATE`, it doesn't immediately copy the file pages. Instead, the process's page table entries point directly to the **page cache** physical pages. The copy only happens on write (copy-on-write). For code pages (`.text`), processes never write to them โ€” so they remain shared with page cache **forever**.

```
Process A (bash)     Process B (su)      Page Cache (libc)
  โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”            โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”            โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
  โ”‚ PTE  โ”‚โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€>โ”‚      โ”‚            โ”‚ exit():  โ”‚
  โ”‚      โ”‚            โ”‚ PTE  โ”‚โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€>โ”‚ endbr64  โ”‚
  โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”˜            โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”˜            โ”‚ push rax โ”‚
    MAP_PRIVATE         MAP_PRIVATE       โ”‚ ...      โ”‚
    (clean page)        (clean page)      โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
                                               โ†‘
                                    Copy Fail writes here!
```

CVE-2026-31431 gives us a controlled 4-byte write to any readable file's page cache. By corrupting libc's code pages, we modify the instructions that **every process** executes.

### The Exploit

1. **Write shellcode** (39 bytes) to the `on_exit()` function location in libc's page cache โ€” 10 writes of 4 bytes each
2. **Patch `exit()`** to jump to our shellcode โ€” 1 write of 4 bytes
3. **Trigger**: any program that calls `exit()` (virtually every program) executes our shellcode

The shellcode performs `setuid(0)` โ†’ `setgid(0)` โ†’ `execve("/bin/sh")`, giving a root shell.

## CVE-2026-31431 Overview

- **Bug**: Logic error in `crypto/algif_aead.c` โ€” the 2017 in-place optimization (`72548b093ee3`) allows `splice()` to feed page cache pages into AEAD decrypt. The `authencesn` algorithm's ESN rearrangement writes 4 scratch bytes back to the source scatterlist, corrupting the spliced file's page cache.
- **Primitive**: Deterministic 4-byte write to any readable file's page cache
- **Requirements**: None โ€” AF_ALG sockets available to unprivileged users
- **Fix**: Copy to out-of-place buffer before crypto operation (kernel 6.12.85+, 6.15+)

## Usage

```bash
# Compile
gcc -o exploit exploit.c

# Run as unprivileged user
./exploit /lib/x86_64-linux-gnu/libc-2.31.so

# Trigger โ€” run any program (it calls exit())
su -c id
# uid=0(root) gid=0(root) groups=0(root)
```

## Tested On

- **Kernel**: 6.12.79 (Ubuntu/Debian, before fix in 6.12.85)
- **glibc**: 2.31-0ubuntu9.7
- **Result**: Full root shell, verified by kernel log: `process 'id' launched '/bin/sh'`

## Files

- [`exploit.c`](exploit.c) โ€” Full exploit with shellcode injection
- [`copyfail_test.c`](copyfail_test.c) โ€” Primitive verification (tests 4-byte write)

## Timeline

- **2017**: In-place optimization introduced (`72548b093ee3`)
- **2026-04-29**: CVE-2026-31431 disclosed
- **2026-04-30**: Fix released in kernel 6.12.85
- **2026-05-06**: This exploit developed (novel live code corruption technique)

## References

- [NVD โ€” CVE-2026-31431](https://nvd.nist.gov/vuln/detail/CVE-2026-31431)
- [Fix commit](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a664bf3d603d)
- [Copy Fail analysis (Xint)](https://xint.io/blog/copy-fail-linux-distributions)

## Disclaimer

This tool is provided for authorized security research and educational purposes only. Do not use against systems you do not own or have explicit permission to test.