Share
## https://sploitus.com/exploit?id=C280267D-26C4-5FC8-9CCC-D638A359564C
```
βββββββ βββββββ βββββββ βββ βββ ββββββββ ββββββ ββββββ
βββββββββββββββββββββββββββββ ββββ ββββββββββββββββββββββ
βββ βββ βββββββββββ βββββββ ββββββ ββββββββββββββ
βββ βββ ββββββββββ βββββ ββββββ ββββββββββββββ
ββββββββββββββββββββ βββ βββ βββ ββββββββββββββ
βββββββ βββββββ βββ βββ βββ βββ ββββββββββββββ
```
# CVE-2026-31431 β "Copy Fail"
### Linux Kernel Local Privilege Escalation via `algif_aead` Page Cache Corruption
[](https://nvd.nist.gov/vuln/detail/CVE-2026-31431)
[](https://nvd.nist.gov/vuln/detail/CVE-2026-31431)
[-yellow?style=for-the-badge&logo=linux&logoColor=black)](https://kernel.org)
[](LICENSE)
[](mitigation/)
> **β οΈ AUTHORIZED USE ONLY** β This repository is strictly for penetration testers, security researchers, and defenders operating under lawful authorization. Misuse is a criminal offense.
---
## π Table of Contents
| # | Section | Description |
|---|---------|-------------|
| 1 | [What is Copy Fail?](#-what-is-copy-fail) | Vulnerability summary |
| 2 | [Technical Deep Dive](#-technical-deep-dive) | Root cause analysis |
| 3 | [Affected Systems](#-affected-systems) | Distro & kernel matrix |
| 4 | [Repository Structure](#-repository-structure) | File layout |
| 5 | [Lab Setup](#-lab-setup) | Reproduce safely |
| 6 | [Exploit Usage](#-exploit-usage) | Pentest workflow |
| 7 | [Detection](#-detection) | YARA, Sigma, scripts |
| 8 | [Mitigation](#-mitigation) | Patch & hardening |
| 9 | [Pentest Reporting](#-pentest-reporting) | Report templates |
| 10 | [Legal & Ethics](#-legal--ethics) | Disclaimer |
| 11 | [References](#-references) | CVEs, advisories, blogs |
---
## π What is Copy Fail?
**Copy Fail** is a **local privilege escalation (LPE)** vulnerability disclosed on **April 29, 2026**, affecting virtually every major Linux distribution running kernels since **2017**.
```
Unprivileged User βββΊ AF_ALG + splice() βββΊ 4-byte Page Cache Write βββΊ ROOT
```
### Key Facts at a Glance
| Property | Detail |
|----------|--------|
| **CVE ID** | CVE-2026-31431 |
| **Nickname** | Copy Fail |
| **CVSS v3.1** | 7.8 (HIGH) |
| **Attack Vector** | Local |
| **Privileges Required** | Low (any unprivileged user) |
| **User Interaction** | None |
| **Discoverer** | Xint Code (Theori) |
| **Disclosed** | April 29, 2026 |
| **Exploit Size** | 732 bytes (Python PoC) |
| **Patch Status** | β
Available β revert commit `a664bf3d603d` |
### Why This Is Dangerous
- π΅οΈ **Stealthy** β Modification lives only in the page cache; the file on disk is **never changed**. Standard disk forensics will not detect it.
- β‘ **Reliable** β Deterministic logic flaw, not a race condition. Exploitation is consistent across environments.
- π **Universal** β Affects Ubuntu, RHEL, Amazon Linux, SUSE, Debian β every major distro since 2017.
- βΈοΈ **Cloud/K8s Impact** β Can facilitate container escape in Kubernetes workloads and CI/CD runners.
- π€ **AI-Discovered** β Found by Xint Code's AI system with ~1 hour of scan time and a single operator prompt.
---
## π¬ Technical Deep Dive
### Root Cause
The vulnerability stems from a **buggy in-place optimization** introduced in 2017 (`commit 72548b093ee3`) inside the `algif_aead` module of the Linux kernel's userspace crypto API (`AF_ALG`).
```
AF_ALG (userspace crypto API)
βββ algif_aead module
βββ authencesn template βββ VULNERABLE
βββ in-place optimization (2017)
βββ req->src == req->dst βββ pages from splice() chained into writable dst scatterlist
```
### Attack Flow
```
Step 1: Open AF_ALG AEAD socket
socket(AF_ALG, SOCK_SEQPACKET, 0)
Step 2: Send splice() pages referencing target file
(page cache pages of a privileged binary, e.g. /usr/bin/sudo)
Step 3: Trigger authencesn scratch write
authencesn uses dst buffer as scratch pad β
writes 4 controlled bytes PAST the legitimate output region
Step 4: Page cache entry for the target file is now corrupted
(disk file untouched β only in-memory copy modified)
Step 5: Execute the modified binary β ROOT
```
### Why the Page Cache?
The Linux kernel's page cache backs in-memory copies of files. When a file is read, its pages are cached. The `splice()` syscall can reference these cached pages directly. By feeding page cache pages into the AF_ALG AEAD scatterlist, the authencesn scratch write lands **inside those cached pages**, effectively patching the in-memory copy of any readable file β including privileged binaries like `sudo`, `pkexec`, or `passwd`.
### The Fix
The upstream fix reverts the flawed 2017 optimization:
```bash
# Fixed in commit: a664bf3d603d
git show a664bf3d603d
```
---
## π₯οΈ Affected Systems
### Linux Kernel Versions
| Kernel Branch | Affected? | Fixed Version |
|--------------|-----------|---------------|
| 4.9.x (LTS) | β
Yes | 4.9.340+ |
| 5.4.x (LTS) | β
Yes | 5.4.295+ |
| 5.10.x (LTS) | β
Yes | 5.10.239+ |
| 5.15.x (LTS) | β
Yes | 5.15.185+ |
| 6.1.x (LTS) | β
Yes | 6.1.132+ |
| 6.6.x (LTS) | β
Yes | 6.6.83+ |
| 6.12.x (LTS) | β
Yes | 6.12.19+ |
| **Always test in an isolated, authorized environment. Never run exploits on production systems.**
### Option A β Vagrant VM (Recommended)
```bash
# Clone the repository
git clone https://github.com/0xFuffM3/CVE-2026-31431-CopyFail.git
cd CVE-2026-31431-CopyFail
# Start the vulnerable lab VM
cd lab/
vagrant up
# SSH into the lab
vagrant ssh
# Verify kernel version (should be vulnerable)
uname -r
```
### Option B β Docker Container
```bash
cd lab/docker/
# Build vulnerable container image
docker build -t copyfail-lab .
# Run with required privileges for kernel interaction
docker run --rm -it --privileged copyfail-lab /bin/bash
```
### Check If Your System Is Vulnerable
```bash
# Run the quick check script
chmod +x detection/scripts/check_vulnerable.sh
./detection/scripts/check_vulnerable.sh
```
Expected output on a **vulnerable** system:
```
[!] Kernel version: 5.15.0-91-generic
[!] algif_aead module: LOADED
[β] System appears VULNERABLE to CVE-2026-31431 (Copy Fail)
[*] Recommended action: Apply kernel update or disable algif_aead
```
Expected output on a **patched** system:
```
[β] Kernel version: 6.1.132
[β] System appears PATCHED against CVE-2026-31431 (Copy Fail)
```
---
## π₯ Exploit Usage
> **Requires:** Local access as an unprivileged user on a vulnerable system.
### Prerequisites
```bash
# Python 3.6+
python3 --version
# Required kernel modules present
lsmod | grep algif_aead
# Verify the target binary is readable
ls -la /usr/bin/sudo
```
### Running the PoC
```bash
cd exploit/
# Check current privilege level
id
# uid=1000(user) gid=1000(user) groups=1000(user)
# Run Copy Fail PoC
python3 copyfail.py
# Verify privilege escalation
id
# uid=0(root) gid=0(root) groups=0(root)
```
### Pentest Workflow
```
1. Enumerate kernel version
βββΊ uname -r / cat /proc/version
2. Check if algif_aead is loaded
βββΊ lsmod | grep algif_aead
3. Confirm low-privilege foothold
βββΊ id / whoami
4. Execute Copy Fail PoC
βββΊ python3 exploit/copyfail.py
5. Verify root access
βββΊ id && cat /etc/shadow
6. Document evidence
βββΊ Screenshot + log kernel version, distro, exploit hash
7. Apply mitigation (post-test)
βββΊ sudo bash mitigation/disable_algif_aead.sh
8. Include in pentest report
βββΊ Use reports/pentest-report-template.md
```
---
## π Detection
### YARA Rule
```yara
// detection/yara/copyfail.yar
rule CopyFail_CVE_2026_31431 {
meta:
description = "Detects Copy Fail (CVE-2026-31431) exploit artefacts"
author = "0xFuffM3"
date = "2026-04-30"
reference = "https://copy.fail"
strings:
$py1 = "algif_aead" ascii
$py2 = "AF_ALG" ascii
$py3 = "splice" ascii
$py4 = "page_cache" ascii
$py5 = "authencesn" ascii
condition:
3 of them
}
```
Run YARA scan:
```bash
yara detection/yara/copyfail.yar /tmp/ -r
```
### Sigma Rule (SIEM)
```yaml
# detection/sigma/copyfail_lpe.yml
title: Copy Fail LPE Exploit Execution (CVE-2026-31431)
status: stable
logsource:
category: process_creation
product: linux
detection:
selection:
CommandLine|contains:
- 'AF_ALG'
- 'algif_aead'
- 'authencesn'
condition: selection
falsepositives:
- Legitimate crypto API testing
level: high
```
### Quick Detection Script
```bash
chmod +x detection/scripts/detect_algif_aead.sh
./detection/scripts/detect_algif_aead.sh
```
### Security Tool Coverage
| Tool | Detection Support |
|------|-----------------|
| Microsoft Defender (MDVM) | β
Yes |
| Tenable Nessus | β
Yes |
| Qualys | β
Yes |
| Wazuh | β
Via custom Sigma rule |
| Palo Alto Cortex XDR | β
Yes |
| CrowdStrike Falcon | β
Yes |
---
## π‘οΈ Mitigation
### Option 1 β Apply Kernel Patch (Recommended)
```bash
# Ubuntu / Debian
sudo apt-get update && sudo apt-get upgrade linux-image-generic
# RHEL / CentOS
sudo yum update kernel
# Amazon Linux
sudo yum update kernel
# After update, reboot
sudo reboot
```
### Option 2 β Disable `algif_aead` Module (Interim)
```bash
# Run the mitigation script
chmod +x mitigation/disable_algif_aead.sh
sudo bash mitigation/disable_algif_aead.sh
```
What the script does:
```bash
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
rmmod algif_aead 2>/dev/null || echo "[*] Module not currently loaded"
echo "[β] algif_aead disabled. Reboot to confirm persistence."
```
### Option 3 β Kubernetes Hardening
See [`mitigation/kubernetes-hardening.md`](mitigation/kubernetes-hardening.md) for:
- Restricting `AF_ALG` socket creation in pod security policies
- Seccomp profile to block `socket(AF_ALG, ...)` syscall
- Priority patching for Kubernetes nodes and CI/CD runners
---
## π Pentest Reporting
A ready-to-use client report template is in [`reports/pentest-report-template.md`](reports/pentest-report-template.md).
### Sample Finding Summary
```
Finding: Local Privilege Escalation via Copy Fail (CVE-2026-31431)
Severity: HIGH (CVSS 7.8)
Host: 10.10.10.55 (ubuntu-prod-01)
Kernel: 5.15.0-91-generic
Evidence:
- Unprivileged shell (uid=1000) escalated to root (uid=0)
- Kernel module algif_aead confirmed loaded
- No disk artefacts β page cache only
Recommendation:
1. Apply vendor kernel patch immediately
2. Interim: disable algif_aead module
3. Review Kubernetes nodes and CI/CD runners
```
---
## βοΈ Legal & Ethics
> **Read before using anything in this repository.**
This repository is published for **legitimate security research, authorized penetration testing, and defensive security** purposes only.
- β
**Allowed:** Testing on systems you own or have explicit written authorization to test
- β
**Allowed:** Security research in isolated lab environments
- β
**Allowed:** Defensive use β detection, patching, hardening
- β **Prohibited:** Testing on systems without written authorization
- β **Prohibited:** Deploying exploits against production systems
- β **Prohibited:** Any use that violates local, national, or international law
Unauthorized use of this material may violate the **Computer Fraud and Abuse Act (CFAA)**, **EU Directive 2013/40/EU**, **Indian IT Act 2000**, and equivalent laws in your jurisdiction.
The authors assume **no liability** for misuse. See [`DISCLAIMER.md`](DISCLAIMER.md) for the full legal notice.
---
## π References
| Source | Link |
|--------|------|
| Original Disclosure (Xint/Theori) | [copy.fail](https://copy.fail) |
| Xint Code Technical Write-Up | [xint.io/blog/copy-fail](https://xint.io/blog/copy-fail-linux-distributions) |
| NVD Entry | [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2026-31431) |
| Microsoft Security Blog | [microsoft.com/security/blog](https://www.microsoft.com/en-us/security/blog/2026/05/01/cve-2026-31431-copy-fail-vulnerability-enables-linux-root-privilege-escalation/) |
| Ubuntu Advisory | [ubuntu.com/blog](https://ubuntu.com/blog/copy-fail-vulnerability-fixes-available) |
| CERT-EU Advisory | [cert.europa.eu](https://cert.europa.eu/publications/security-advisories/2026-005/) |
| Tenable FAQ | [tenable.com/blog](https://www.tenable.com/blog/copy-fail-cve-2026-31431-frequently-asked-questions-about-linux-kernel-privilege-escalation) |
| Palo Alto Unit 42 | [unit42.paloaltonetworks.com](https://unit42.paloaltonetworks.com/cve-2026-31431-copy-fail/) |
| CloudLinux Advisory | [blog.cloudlinux.com](https://blog.cloudlinux.com/cve-2026-31431-copy-fail-kernel-update) |
| Bugcrowd Analysis | [bugcrowd.com/blog](https://www.bugcrowd.com/blog/what-we-know-about-copy-fail-cve-2026-31431/) |
| Linux Kernel Patch | [kernel.org β commit a664bf3d603d](https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/) |
---
## π€ Contributing
Security researchers are welcome to contribute:
1. Fork the repository
2. Create a feature branch: `git checkout -b feat/your-contribution`
3. Commit your changes: `git commit -m "Add: detection rule for X"`
4. Push and open a Pull Request
Please follow responsible disclosure norms. Do not include weaponized, production-ready exploit code targeting patched systems.
---
**Made for the security community β use responsibly.**
[](https://github.com/0xFuffM3)