Share
## https://sploitus.com/exploit?id=C7CEC905-807C-5C03-9526-5D00A76D5672
# CVE-2026-31431 β€” Copy Fail

[δΈ­ζ–‡η‰ˆ](README_zh.md)

**732 Bytes to Root on Every Major Linux Distribution**

[CVE-2026-31431](https://copy.fail/) (Copy Fail) is a logic bug in the Linux kernel's `authencesn` cryptographic template. It allows an unprivileged local user to trigger a deterministic, controlled 4-byte write into the page cache of any readable file on the system.

## Overview

- **CVE ID:** CVE-2026-31431
- **Type:** Local Privilege Escalation / Container Escape
- **Affected:** Linux kernels with `CONFIG_CRYPTO_AUTHENC` (essentially all major distros since 2017)
- **Discovered by:** [Xint Code Research Team](https://xint.io/), with initial insight from Theori researcher Taeyang Lee

## How It Works

The bug chains two behaviors:

1. **AF_ALG + splice**: `splice()` transfers page cache pages by reference into an AF_ALG socket's scatterlist. For AEAD decryption in-place mode, the tag pages (from the target file's page cache) remain chained to the output scatterlist via `sg_chain()`.

2. **authencesn scratch write**: `crypto_authenc_esn_decrypt()` uses `dst[assoclen + cryptlen]` (past the tag, into the page cache pages) as scratch space for ESN sequence number rearrangement, writing 4 attacker-controlled bytes and never restoring them.

The corrupted page is **never marked dirty**, so the on-disk file remains unchanged. But the in-memory page cache is what actually gets read β€” making the corruption immediately visible system-wide.

## Exploit

The exploit corrupts the page cache of `/usr/bin/su` (or any setuid binary) with a small shellcode payload, 4 bytes at a time. After all iterations, running `su` executes the payload and drops to a root shell.

### Python (exp.py)

Requires Python 3.10+ (for `os.splice`). Uses only standard library modules.


```bash
python3 exp.py
```

### C (exp.c)

No Python dependency. Compile and run:

```bash
gcc -o exp exp.c
./exp
```

## Impact

| Capability | Details |
|---|---|
| **Portable** | Same script works on Ubuntu, Amazon Linux, RHEL, SUSE, and more β€” no per-distro offsets |
| **Tiny** | Python exploit is ~732 bytes |
| **Stealthy** | Bypasses VFS write path; page never marked dirty; on-disk checksums unchanged |
| **Cross-container** | Page cache is shared across containers β€” container escape vector (see Part 2) |

## References

- [copy.fail β€” Official Advisory](https://copy.fail/)
- [Xint Blog β€” Copy Fail: 732 Bytes to Root](https://xint.io/blog/copy-fail-linux-distributions)
- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2026-31431)

## Disclaimer

This repository is published for educational and defensive research purposes only. Do not use this code on systems you do not own or have explicit permission to test.