Share
## https://sploitus.com/exploit?id=C280267D-26C4-5FC8-9CCC-D638A359564C
```
                                    β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ•—   β–ˆβ–ˆβ•—    β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ•—β–ˆβ–ˆβ•—
                                   β–ˆβ–ˆβ•”β•β•β•β•β•β–ˆβ–ˆβ•”β•β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—β•šβ–ˆβ–ˆβ•— β–ˆβ–ˆβ•”β•    β–ˆβ–ˆβ•”β•β•β•β•β•β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘
                                   β–ˆβ–ˆβ•‘     β–ˆβ–ˆβ•‘   β–ˆβ–ˆβ•‘β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β• β•šβ–ˆβ–ˆβ–ˆβ–ˆβ•”β•     β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘
                                   β–ˆβ–ˆβ•‘     β–ˆβ–ˆβ•‘   β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β•β•β•β•   β•šβ–ˆβ–ˆβ•”β•      β–ˆβ–ˆβ•”β•β•β•  β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘
                                        β•šβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β•šβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β•β–ˆβ–ˆβ•‘        β–ˆβ–ˆβ•‘       β–ˆβ–ˆβ•‘     β–ˆβ–ˆβ•‘  β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—
                                         β•šβ•β•β•β•β•β• β•šβ•β•β•β•β•β• β•šβ•β•        β•šβ•β•       β•šβ•β•     β•šβ•β•  β•šβ•β•β•šβ•β•β•šβ•β•β•β•β•β•β•
```

# CVE-2026-31431 β€” "Copy Fail"
### Linux Kernel Local Privilege Escalation via `algif_aead` Page Cache Corruption



[![CVE](https://img.shields.io/badge/CVE-2026--31431-critical?style=for-the-badge&logo=redhat&logoColor=white&color=CC0000)](https://nvd.nist.gov/vuln/detail/CVE-2026-31431)
[![CVSS](https://img.shields.io/badge/CVSS-7.8%20HIGH-orange?style=for-the-badge&logo=security&logoColor=white)](https://nvd.nist.gov/vuln/detail/CVE-2026-31431)
[![Kernel](https://img.shields.io/badge/Linux%20Kernel-4.9%2B%20(2017--2026)-yellow?style=for-the-badge&logo=linux&logoColor=black)](https://kernel.org)
[![License](https://img.shields.io/badge/License-Research%20Only-blue?style=for-the-badge)](LICENSE)
[![Status](https://img.shields.io/badge/Patch-Available-brightgreen?style=for-the-badge&logo=checkmarx)](mitigation/)



> **⚠️ AUTHORIZED USE ONLY** β€” This repository is strictly for penetration testers, security researchers, and defenders operating under lawful authorization. Misuse is a criminal offense.



---

## πŸ“– Table of Contents

| # | Section | Description |
|---|---------|-------------|
| 1 | [What is Copy Fail?](#-what-is-copy-fail) | Vulnerability summary |
| 2 | [Technical Deep Dive](#-technical-deep-dive) | Root cause analysis |
| 3 | [Affected Systems](#-affected-systems) | Distro & kernel matrix |
| 4 | [Repository Structure](#-repository-structure) | File layout |
| 5 | [Lab Setup](#-lab-setup) | Reproduce safely |
| 6 | [Exploit Usage](#-exploit-usage) | Pentest workflow |
| 7 | [Detection](#-detection) | YARA, Sigma, scripts |
| 8 | [Mitigation](#-mitigation) | Patch & hardening |
| 9 | [Pentest Reporting](#-pentest-reporting) | Report templates |
| 10 | [Legal & Ethics](#-legal--ethics) | Disclaimer |
| 11 | [References](#-references) | CVEs, advisories, blogs |

---

## πŸ” What is Copy Fail?

**Copy Fail** is a **local privilege escalation (LPE)** vulnerability disclosed on **April 29, 2026**, affecting virtually every major Linux distribution running kernels since **2017**.

```
Unprivileged User  ──►  AF_ALG + splice()  ──►  4-byte Page Cache Write  ──►  ROOT
```

### Key Facts at a Glance

| Property | Detail |
|----------|--------|
| **CVE ID** | CVE-2026-31431 |
| **Nickname** | Copy Fail |
| **CVSS v3.1** | 7.8 (HIGH) |
| **Attack Vector** | Local |
| **Privileges Required** | Low (any unprivileged user) |
| **User Interaction** | None |
| **Discoverer** | Xint Code (Theori) |
| **Disclosed** | April 29, 2026 |
| **Exploit Size** | 732 bytes (Python PoC) |
| **Patch Status** | βœ… Available β€” revert commit `a664bf3d603d` |

### Why This Is Dangerous

- πŸ•΅οΈ **Stealthy** β€” Modification lives only in the page cache; the file on disk is **never changed**. Standard disk forensics will not detect it.
- ⚑ **Reliable** β€” Deterministic logic flaw, not a race condition. Exploitation is consistent across environments.
- 🌐 **Universal** β€” Affects Ubuntu, RHEL, Amazon Linux, SUSE, Debian β€” every major distro since 2017.
- ☸️ **Cloud/K8s Impact** β€” Can facilitate container escape in Kubernetes workloads and CI/CD runners.
- πŸ€– **AI-Discovered** β€” Found by Xint Code's AI system with ~1 hour of scan time and a single operator prompt.

---

## πŸ”¬ Technical Deep Dive

### Root Cause

The vulnerability stems from a **buggy in-place optimization** introduced in 2017 (`commit 72548b093ee3`) inside the `algif_aead` module of the Linux kernel's userspace crypto API (`AF_ALG`).

```
AF_ALG (userspace crypto API)
└── algif_aead module
    └── authencesn template  ◄── VULNERABLE
        └── in-place optimization (2017)
            └── req->src == req->dst  ◄── pages from splice() chained into writable dst scatterlist
```

### Attack Flow

```
Step 1: Open AF_ALG AEAD socket
        socket(AF_ALG, SOCK_SEQPACKET, 0)

Step 2: Send splice() pages referencing target file
        (page cache pages of a privileged binary, e.g. /usr/bin/sudo)

Step 3: Trigger authencesn scratch write
        authencesn uses dst buffer as scratch pad β†’
        writes 4 controlled bytes PAST the legitimate output region

Step 4: Page cache entry for the target file is now corrupted
        (disk file untouched β€” only in-memory copy modified)

Step 5: Execute the modified binary β†’ ROOT
```

### Why the Page Cache?

The Linux kernel's page cache backs in-memory copies of files. When a file is read, its pages are cached. The `splice()` syscall can reference these cached pages directly. By feeding page cache pages into the AF_ALG AEAD scatterlist, the authencesn scratch write lands **inside those cached pages**, effectively patching the in-memory copy of any readable file β€” including privileged binaries like `sudo`, `pkexec`, or `passwd`.

### The Fix

The upstream fix reverts the flawed 2017 optimization:

```bash
# Fixed in commit: a664bf3d603d
git show a664bf3d603d
```

---

## πŸ–₯️ Affected Systems

### Linux Kernel Versions

| Kernel Branch | Affected? | Fixed Version |
|--------------|-----------|---------------|
| 4.9.x (LTS) | βœ… Yes | 4.9.340+ |
| 5.4.x (LTS) | βœ… Yes | 5.4.295+ |
| 5.10.x (LTS) | βœ… Yes | 5.10.239+ |
| 5.15.x (LTS) | βœ… Yes | 5.15.185+ |
| 6.1.x (LTS) | βœ… Yes | 6.1.132+ |
| 6.6.x (LTS) | βœ… Yes | 6.6.83+ |
| 6.12.x (LTS) | βœ… Yes | 6.12.19+ |
|  **Always test in an isolated, authorized environment. Never run exploits on production systems.**

### Option A β€” Vagrant VM (Recommended)

```bash
# Clone the repository
git clone https://github.com/0xFuffM3/CVE-2026-31431-CopyFail.git
cd CVE-2026-31431-CopyFail

# Start the vulnerable lab VM
cd lab/
vagrant up

# SSH into the lab
vagrant ssh

# Verify kernel version (should be vulnerable)
uname -r
```

### Option B β€” Docker Container

```bash
cd lab/docker/

# Build vulnerable container image
docker build -t copyfail-lab .

# Run with required privileges for kernel interaction
docker run --rm -it --privileged copyfail-lab /bin/bash
```

### Check If Your System Is Vulnerable

```bash
# Run the quick check script
chmod +x detection/scripts/check_vulnerable.sh
./detection/scripts/check_vulnerable.sh
```

Expected output on a **vulnerable** system:
```
[!] Kernel version: 5.15.0-91-generic
[!] algif_aead module: LOADED
[βœ—] System appears VULNERABLE to CVE-2026-31431 (Copy Fail)
[*] Recommended action: Apply kernel update or disable algif_aead
```

Expected output on a **patched** system:
```
[βœ“] Kernel version: 6.1.132
[βœ“] System appears PATCHED against CVE-2026-31431 (Copy Fail)
```

---

## πŸ’₯ Exploit Usage

> **Requires:** Local access as an unprivileged user on a vulnerable system.

### Prerequisites

```bash
# Python 3.6+
python3 --version

# Required kernel modules present
lsmod | grep algif_aead

# Verify the target binary is readable
ls -la /usr/bin/sudo
```

### Running the PoC

```bash
cd exploit/

# Check current privilege level
id
# uid=1000(user) gid=1000(user) groups=1000(user)

# Run Copy Fail PoC
python3 copyfail.py

# Verify privilege escalation
id
# uid=0(root) gid=0(root) groups=0(root)
```

### Pentest Workflow

```
1. Enumerate kernel version
   └─► uname -r / cat /proc/version

2. Check if algif_aead is loaded
   └─► lsmod | grep algif_aead

3. Confirm low-privilege foothold
   └─► id / whoami

4. Execute Copy Fail PoC
   └─► python3 exploit/copyfail.py

5. Verify root access
   └─► id && cat /etc/shadow

6. Document evidence
   └─► Screenshot + log kernel version, distro, exploit hash

7. Apply mitigation (post-test)
   └─► sudo bash mitigation/disable_algif_aead.sh

8. Include in pentest report
   └─► Use reports/pentest-report-template.md
```

---

## πŸ”Ž Detection

### YARA Rule

```yara
// detection/yara/copyfail.yar
rule CopyFail_CVE_2026_31431 {
    meta:
        description = "Detects Copy Fail (CVE-2026-31431) exploit artefacts"
        author      = "0xFuffM3"
        date        = "2026-04-30"
        reference   = "https://copy.fail"
    strings:
        $py1 = "algif_aead" ascii
        $py2 = "AF_ALG" ascii
        $py3 = "splice" ascii
        $py4 = "page_cache" ascii
        $py5 = "authencesn" ascii
    condition:
        3 of them
}
```

Run YARA scan:
```bash
yara detection/yara/copyfail.yar /tmp/ -r
```

### Sigma Rule (SIEM)

```yaml
# detection/sigma/copyfail_lpe.yml
title: Copy Fail LPE Exploit Execution (CVE-2026-31431)
status: stable
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        CommandLine|contains:
            - 'AF_ALG'
            - 'algif_aead'
            - 'authencesn'
    condition: selection
falsepositives:
    - Legitimate crypto API testing
level: high
```

### Quick Detection Script

```bash
chmod +x detection/scripts/detect_algif_aead.sh
./detection/scripts/detect_algif_aead.sh
```

### Security Tool Coverage

| Tool | Detection Support |
|------|-----------------|
| Microsoft Defender (MDVM) | βœ… Yes |
| Tenable Nessus | βœ… Yes |
| Qualys | βœ… Yes |
| Wazuh | βœ… Via custom Sigma rule |
| Palo Alto Cortex XDR | βœ… Yes |
| CrowdStrike Falcon | βœ… Yes |

---

## πŸ›‘οΈ Mitigation

### Option 1 β€” Apply Kernel Patch (Recommended)

```bash
# Ubuntu / Debian
sudo apt-get update && sudo apt-get upgrade linux-image-generic

# RHEL / CentOS
sudo yum update kernel

# Amazon Linux
sudo yum update kernel

# After update, reboot
sudo reboot
```

### Option 2 β€” Disable `algif_aead` Module (Interim)

```bash
# Run the mitigation script
chmod +x mitigation/disable_algif_aead.sh
sudo bash mitigation/disable_algif_aead.sh
```

What the script does:
```bash
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
rmmod algif_aead 2>/dev/null || echo "[*] Module not currently loaded"
echo "[βœ“] algif_aead disabled. Reboot to confirm persistence."
```

### Option 3 β€” Kubernetes Hardening

See [`mitigation/kubernetes-hardening.md`](mitigation/kubernetes-hardening.md) for:
- Restricting `AF_ALG` socket creation in pod security policies
- Seccomp profile to block `socket(AF_ALG, ...)` syscall
- Priority patching for Kubernetes nodes and CI/CD runners

---

## πŸ“ Pentest Reporting

A ready-to-use client report template is in [`reports/pentest-report-template.md`](reports/pentest-report-template.md).

### Sample Finding Summary

```
Finding:    Local Privilege Escalation via Copy Fail (CVE-2026-31431)
Severity:   HIGH (CVSS 7.8)
Host:       10.10.10.55 (ubuntu-prod-01)
Kernel:     5.15.0-91-generic

Evidence:
  - Unprivileged shell (uid=1000) escalated to root (uid=0)
  - Kernel module algif_aead confirmed loaded
  - No disk artefacts β€” page cache only

Recommendation:
  1. Apply vendor kernel patch immediately
  2. Interim: disable algif_aead module
  3. Review Kubernetes nodes and CI/CD runners
```

---

## βš–οΈ Legal & Ethics

> **Read before using anything in this repository.**

This repository is published for **legitimate security research, authorized penetration testing, and defensive security** purposes only.

- βœ… **Allowed:** Testing on systems you own or have explicit written authorization to test
- βœ… **Allowed:** Security research in isolated lab environments
- βœ… **Allowed:** Defensive use β€” detection, patching, hardening
- ❌ **Prohibited:** Testing on systems without written authorization
- ❌ **Prohibited:** Deploying exploits against production systems
- ❌ **Prohibited:** Any use that violates local, national, or international law

Unauthorized use of this material may violate the **Computer Fraud and Abuse Act (CFAA)**, **EU Directive 2013/40/EU**, **Indian IT Act 2000**, and equivalent laws in your jurisdiction.

The authors assume **no liability** for misuse. See [`DISCLAIMER.md`](DISCLAIMER.md) for the full legal notice.

---

## πŸ“š References

| Source | Link |
|--------|------|
| Original Disclosure (Xint/Theori) | [copy.fail](https://copy.fail) |
| Xint Code Technical Write-Up | [xint.io/blog/copy-fail](https://xint.io/blog/copy-fail-linux-distributions) |
| NVD Entry | [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2026-31431) |
| Microsoft Security Blog | [microsoft.com/security/blog](https://www.microsoft.com/en-us/security/blog/2026/05/01/cve-2026-31431-copy-fail-vulnerability-enables-linux-root-privilege-escalation/) |
| Ubuntu Advisory | [ubuntu.com/blog](https://ubuntu.com/blog/copy-fail-vulnerability-fixes-available) |
| CERT-EU Advisory | [cert.europa.eu](https://cert.europa.eu/publications/security-advisories/2026-005/) |
| Tenable FAQ | [tenable.com/blog](https://www.tenable.com/blog/copy-fail-cve-2026-31431-frequently-asked-questions-about-linux-kernel-privilege-escalation) |
| Palo Alto Unit 42 | [unit42.paloaltonetworks.com](https://unit42.paloaltonetworks.com/cve-2026-31431-copy-fail/) |
| CloudLinux Advisory | [blog.cloudlinux.com](https://blog.cloudlinux.com/cve-2026-31431-copy-fail-kernel-update) |
| Bugcrowd Analysis | [bugcrowd.com/blog](https://www.bugcrowd.com/blog/what-we-know-about-copy-fail-cve-2026-31431/) |
| Linux Kernel Patch | [kernel.org β€” commit a664bf3d603d](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/) |

---

## 🀝 Contributing

Security researchers are welcome to contribute:

1. Fork the repository
2. Create a feature branch: `git checkout -b feat/your-contribution`
3. Commit your changes: `git commit -m "Add: detection rule for X"`
4. Push and open a Pull Request

Please follow responsible disclosure norms. Do not include weaponized, production-ready exploit code targeting patched systems.

---



**Made for the security community β€” use responsibly.**

[![Follow](https://img.shields.io/badge/Follow-GitHub-black?style=flat-square&logo=github)](https://github.com/0xFuffM3)