Share
## https://sploitus.com/exploit?id=B176EA1D-9CFC-56B7-989D-8172C40A97A6
# CVE-2026-31431 (Copy Fail) Toolset

This repository contains the Linux `algif_aead` / `authencesn` page cache scratch-write vulnerability. It includes detectors and PoCs for CVE-2026-31431. Disclosure article:

## License Notes

This tool can only be used on hosts where you own or have explicit permission. The detector is non-destructive; it only operates on temporary sentinel files. The PoC and LPE modify the state of kernel page caches in memory, which constitutes real local privilege escalation. Running them without authorization is typically illegal.

## Vulnerability Description

`algif_aead` executes AEAD operations in place, i.e., when `req->src == req->dst`. When input data is passed from a normal file using `splice()`, the target scatterlist will contain references to the file’s page cache. This allows the kernel to write a copy of the file’s page cache. `authencesn(hmac(sha256),cbc(aes))` performs a 4-byte scratch write on the `seqno_lo` field (bytes 4 to 7 of the AAD). Combining this in-place AEAD with the `splice()` path allows an attacker to make these 4 bytes appear in the page cache of readable files. This modification does not write back to disk; it only affects the current kernel page cache. Therefore, the content of the file on disk remains unchanged, but readers who share that page cache will see the corrupted content. Files like `/etc/passwd` and `/usr/bin/su`, which are world-readable, could become targets.

## File Descriptions

| File | Description |
| --- | --- |
| `test_cve_2026_31431.py` | A non-destructive Python detector. It only operates on temporary sentinel files and does not touch system files. |
| `src/main.rs` | A non-destructive Rust detector. The detection logic and exit code are the same as the Python detector. |
| `src/bin/poc.rs` | A Rust version of `poc.py`. It corrupts the page cache of `/usr/bin/su` and executes `su`. |
| `poc.py` | A Python PoC. |
| `exploit_cve_2026_31431.py` | A Python LPE. It attempts to obtain a root shell by corrupting the `/etc/passwd` page cache. |

## Compile Official Versions

Rust toolchain and Cargo must be installed on your machine. Compile all Rust binaries:

```sh
cargo build --release --bins
```

After compilation, the following files will be generated:

```sh
target/release/cve_2026_31431_detector
target/release/cve_2026_31431_poc
```

If you want to submit pre-compiled files to the repository, please put them in:

```sh
dist/linux-x86_64/cve_2026_31431_detector
dist/linux-x86_64/cve_2026_31431_poc
dist/linux-x86_64/SHA256SUMS
```

Do not submit the entire `target/` directory; it contains Cargo intermediate products and local caches. Only compile the non-destructive detectors:

```sh
cargo build --release --bin cve_2026_31431_detector
```

Only compile the Rust version of `poc.py`:

```sh
cargo build --release --bin cve_2026_31431_poc
```

## Verify if the Vulnerability Exists

It is recommended to use the Rust non-destructive detector:

```sh
./target/release/cve_2026_31431_detector
echo $?
```

You can also run it directly using Cargo:

```sh
cargo run --release --bin cve_2026_31431_detector
echo $?
```

Python detector usage:

```sh
python3 test_cve_2026_31431.py
echo $?
```

Meaning of exit codes:

| Exit Code | Meaning |
| --- | --- |

| `0` | No vulnerabilities were detected, or the prerequisites were not met. For example, `AF_ALG` / `authencesn` is not available. |
| `2` | A vulnerability related to CVE-2026-31431 was detected. |
| `1` | An error occurred during the testing process, and the results cannot be used as a basis for determining vulnerabilities. |

Common output conclusions:

| Output | Conclusion |
| --- | --- |
| `Conclusion: No vulnerabilities found` | No vulnerabilities were detected, or the prerequisites were not met. |
| `Conclusion: There is a vulnerability related to CVE-2026-31431` | The marker `PWND` successfully landed on the spliced page cache, indicating a vulnerability exists. |
| `Conclusion: There is a suspected vulnerability related to CVE-2026-31431` | The page cache was modified, and even if the marker does not land in the expected position, it should still be considered affected. |
| `Error occurred during testing; unable to determine if a vulnerability exists` | Testing failed; the exit code is `1`. It is necessary to rerun the test based on the error message. |

Operations performed by the detector:

1. Check whether `AF_ALG` and `authencesn(hmac(sha256),cbc(aes))` are available. 
2. Create a 4 KiB sentinel file in a temporary directory. 
3. Send AAD using `sendmsg`, and set `seqno_lo` of AAD to the marker `PWND`. 
4. Use `splice()` to send the sentinel file to the AF_ALG op socket. 
5. Call the `recv()` driver algorithm. 
6. Re-read the sentinel file to check whether the marker or other modifications appear in the page cache. The detector does not modify `/usr/bin/su`, `/etc/passwd`, or other system files. The temporary sentinel file will be deleted when the process exits. ## Run PoC

Rust version of `poc.py`:

```sh
./target/release/cve_2026_31431_poc
```

Or:

```sh
cargo run --release --bin cve_2026_31431_poc
```

Note: This PoC will open `/usr/bin/su` according to the logic of `poc.py`, contaminate its page cache with vulnerabilities, and then execute `su`. This is not a non-destructive detection process; it should only be run in an authorized testing environment. ## Python LPE usage

```sh
python3 exploit_cve_2026_31431.py
python3 exploit_cve_2026_31431.py --shell
```

This script will search for the UID in `/etc/passwd of the current user and attempt to change the UID in the page cache to `0000`. The `/etc/passwd file on disk will not be modified, but the system process may see the contaminated content when reading the page cache. Limitations:

- The UID of the current user must be a 4-digit number, such as `1000` to `9999`. 
- NSS cache services, such as `nscd`, `sssd`, and `systemd-userdbd`, may mask changes to the `/etc/passwd` page cache. 
- The `/etc/passwd` page cache must remain present between patching and executing `su`. Cleaning the page cache:

```sh
python3 -c "import os; fd=os.open('/etc/passwd', os.O_RDONLY); os.posix_fadvise(fd, 0, 0, os.POSIX_FADV_DONTNEED); os.close(fd)"
```

If you have obtained a root shell, you can also execute:

```sh
echo 3 > /proc/sys/vm/drop_caches
```

Restarting will also clear the page cache state. ## Mitigation measures

Before the kernel is fixed in the release version, you can disable `algif_aead`:

```sh
sudo tee /etc/modprobe.d/disable-algif-aead.conf /dev/null
```

After applying mitigation, the detector usually outputs `Conclusion: No vulnerabilities found` and indicates that the prerequisites were not met. The exit code is `0`. The approach to upstream fixes is to restore AEAD operations from processing, preventing the page cache from entering the writable destination scatterlist. ## References

- Xint disclosure article:
- CVE-2026-31431