Share
## https://sploitus.com/exploit?id=B71D36FC-1C19-5F81-A699-B3084CF7E96D
# Copy Fail - CVE-2026-31431 Detector and Mitigator

![Bash](https://img.shields.io/badge/language-bash-1f425f.svg)
![Platform](https://img.shields.io/badge/platform-linux-blue)
![Security](https://img.shields.io/badge/security-CVE--2026--31431-critical)
![Status](https://img.shields.io/badge/status-active-success)

Detect exposure to **CVE-2026-31431 (Copy Fail)** and optionally apply a host-level mitigation by disabling `algif_aead` auto-loading on vulnerable systems.

## What this repo provides

This repository contains a single operational script:

- `copyfail-check.sh` - checks kernel patch status, runtime module exposure, and mitigation state.
- Optional automatic mitigation via `--mitigate`.
- Human-readable verdict output: `NOT AFFECTED`, `PATCHED`, `NOT EXPLOITABLE`, `MITIGATED`, or `AFFECTED`.

## Why this matters

The script is built around the Copy Fail vulnerability context:

- Vulnerable commit reference: `72548b093ee3`
- Fix commit reference: `a664bf3d603d`

It helps you quickly determine whether a Linux host is likely exposed and applies a practical temporary workaround until kernel patching is complete.

## Requirements

- Linux host
- Root privileges (`sudo` or root shell)
- Common system tools used by the script (`uname`, `modinfo`, `lsmod`, `ss`, `grep`)

## Quick start

Run detection only:

```bash
sudo ./copyfail-check.sh
```

Run detection and apply mitigation when affected:

```bash
sudo ./copyfail-check.sh --mitigate
```

## What gets checked

The script performs these checks:

1. Running as root
2. Kernel version and patch evidence (Debian/Ubuntu and RHEL/Fedora style changelog checks)
3. `algif_aead` module availability and load state
4. Existing modprobe-based block rules
5. Active AF_ALG usage that may affect unload behavior
6. Final risk verdict

## What mitigation does

When `--mitigate` is used on an affected system, the script:

- Creates `/etc/modprobe.d/disable-algif-aead.conf` containing:
  - `install algif_aead /bin/false`
- Attempts to unload `algif_aead` if currently loaded
- Leaves a persistent boot-time block in place

## Important notes

- Mitigation is a **temporary risk reduction**, not a replacement for kernel patching.
- You should update to a kernel containing the upstream fix commit (`a664bf3d603d`) as soon as possible.
- The script output notes that disabling `algif_aead` is generally safe for common crypto paths (for example `dm-crypt`, LUKS, kTLS, IPsec, default OpenSSL/GnuTLS usage, SSH, kernel keyring crypto).

## Repository structure

```text
.
โ”œโ”€โ”€ copyfail-check.sh
โ””โ”€โ”€ README.md
```

## Description (short)

Linux security utility to detect and mitigate CVE-2026-31431 (Copy Fail) exposure by validating kernel patch state and controlling `algif_aead` module attack surface.