## https://sploitus.com/exploit?id=B71D36FC-1C19-5F81-A699-B3084CF7E96D
# Copy Fail - CVE-2026-31431 Detector and Mitigator




Detect exposure to **CVE-2026-31431 (Copy Fail)** and optionally apply a host-level mitigation by disabling `algif_aead` auto-loading on vulnerable systems.
## What this repo provides
This repository contains a single operational script:
- `copyfail-check.sh` - checks kernel patch status, runtime module exposure, and mitigation state.
- Optional automatic mitigation via `--mitigate`.
- Human-readable verdict output: `NOT AFFECTED`, `PATCHED`, `NOT EXPLOITABLE`, `MITIGATED`, or `AFFECTED`.
## Why this matters
The script is built around the Copy Fail vulnerability context:
- Vulnerable commit reference: `72548b093ee3`
- Fix commit reference: `a664bf3d603d`
It helps you quickly determine whether a Linux host is likely exposed and applies a practical temporary workaround until kernel patching is complete.
## Requirements
- Linux host
- Root privileges (`sudo` or root shell)
- Common system tools used by the script (`uname`, `modinfo`, `lsmod`, `ss`, `grep`)
## Quick start
Run detection only:
```bash
sudo ./copyfail-check.sh
```
Run detection and apply mitigation when affected:
```bash
sudo ./copyfail-check.sh --mitigate
```
## What gets checked
The script performs these checks:
1. Running as root
2. Kernel version and patch evidence (Debian/Ubuntu and RHEL/Fedora style changelog checks)
3. `algif_aead` module availability and load state
4. Existing modprobe-based block rules
5. Active AF_ALG usage that may affect unload behavior
6. Final risk verdict
## What mitigation does
When `--mitigate` is used on an affected system, the script:
- Creates `/etc/modprobe.d/disable-algif-aead.conf` containing:
- `install algif_aead /bin/false`
- Attempts to unload `algif_aead` if currently loaded
- Leaves a persistent boot-time block in place
## Important notes
- Mitigation is a **temporary risk reduction**, not a replacement for kernel patching.
- You should update to a kernel containing the upstream fix commit (`a664bf3d603d`) as soon as possible.
- The script output notes that disabling `algif_aead` is generally safe for common crypto paths (for example `dm-crypt`, LUKS, kTLS, IPsec, default OpenSSL/GnuTLS usage, SSH, kernel keyring crypto).
## Repository structure
```text
.
โโโ copyfail-check.sh
โโโ README.md
```
## Description (short)
Linux security utility to detect and mitigate CVE-2026-31431 (Copy Fail) exposure by validating kernel patch state and controlling `algif_aead` module attack surface.