Share
## https://sploitus.com/exploit?id=C997D6D5-BF2D-5877-B1C8-4D197BCC17E0
# CVE-2026-31431 "Copy Fail" โ Safe Probe Suite
[](LICENSE)
[](https://xint.io/blog/copy-fail-linux-distributions)
[](https://nvd.nist.gov/vuln/detail/CVE-2026-31431)

Safe detection tooling for **CVE-2026-31431 "Copy Fail"** โ a local privilege
escalation in the Linux kernel's `algif_aead` module affecting all major
distributions since 2017.
> **This probe opens no `AF_ALG` sockets and performs no crypto operations.**
> It reads only: `uname -r`, `/proc/cmdline`, `/sys/module/`, `/lib/modules/*/modules.builtin`, `/etc/modprobe.d/`, and distro package metadata.
---
## Background
The exploit requires this exact syscall chain:
```
socket(AF_ALG, SOCK_SEQPACKET, 0)
bind(fd, {alg_type="aead", alg_name="authencesn(hmac(sha256),cbc(aes))"})
accept(fd, ...)
splice(suid_binary_fd, op_fd) โ page cache fed into crypto subsystem
sendmsg / recvmsg โ 4-byte scratch write lands in page cache
```
None of these are touched by the probe. Detection is based purely on:
1. **Kernel version range** โ regression introduced in 4.14 (2017), fixed in 6.18.22 / 6.19.12 / 6.20+
2. **Distro package version** โ detects vendor backports via `dpkg`/`rpm`
3. **Module state** โ loaded, absent, or built-in
4. **Active mitigations** โ `modprobe.d` blacklist and `initcall_blacklist` kernel cmdline flag
---
## Files
```
.
โโโ cve-2026-31431-check.sh Core probe (all output modes)
โโโ copy_fail_userparameter.conf Zabbix agent UserParameter config
โโโ zabbix_template_copy_fail.yaml Zabbix 6.4 template (import via GUI/API)
โโโ copy_fail_auditd.rules auditd behavioral detection rules
โโโ wazuh_sca/
โ โโโ copy_fail_sca.yml Wazuh SCA compliance policy
โโโ ansible/
โโโ copy_fall_scan.yml Fleet-wide Ansible scan playbook
```
---
## Quick start
```bash
chmod +x cve-2026-31431-check.sh
./cve-2026-31431-check.sh # human-readable
./cve-2026-31431-check.sh --json # machine-readable
./cve-2026-31431-check.sh --nagios # Nagios/Icinga/NRPE
./cve-2026-31431-check.sh --zabbix # integer 0/1/2 for Zabbix item
```
**Exit codes:** `0` = PATCHED or MITIGATED ยท `1` = VULNERABLE ยท `2` = UNKNOWN
### Example output
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
CVE-2026-31431 (Copy Fail) โ Vulnerability Probe
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Host : webserver01.hevra.haifa.ac.il
Kernel : 6.8.0-60-generic
Distro : ubuntu 24.04
โโ Kernel version โโโโโโโโโโโโโโโโโโโโโโโโโโ
Status : vulnerable
Note : In vulnerable range (4.14โ6.17); check distro package
โโ Package (vendor backport check) โโโโโโโโโ
Check : found
Version : 6.8.0-60.63
Note : compare to Ubuntu USN for your series
โโ Module / mitigation status โโโโโโโโโโโโโโ
Built-in : false
Absent : true
modprobe.d : true
cmdline mit : false
Effective : true
Mit. note : modprobe.d blacklist present and module not loaded
โโ Verdict โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
MITIGATED modprobe.d blacklist present and module not loaded
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
```
---
## Zabbix
```bash
# On each monitored host:
mkdir -p /etc/zabbix/scripts
install -m 750 -o zabbix -g zabbix \
cve-2026-31431-check.sh /etc/zabbix/scripts/
cp copy_fail_userparameter.conf /etc/zabbix/zabbix_agentd.d/
systemctl restart zabbix-agent # or zabbix-agent2
# Test as the zabbix user:
sudo -u zabbix /etc/zabbix/scripts/cve-2026-31431-check.sh
```
Import `zabbix_template_copy_fail.yaml` via **Configuration โ Templates โ Import**.
The template provides:
- Item `copy_fail.status` (integer, checked hourly) โ `0`=safe ยท `1`=vulnerable ยท `2`=unknown
- Item `copy_fail.detail` (string) โ human-readable verdict
- **HIGH trigger** when status = 1
- **WARNING trigger** when status = 2
The script needs no `sudo` โ every file it reads is world-readable.
---
## Nagios / Icinga / CheckMK / NRPE
```bash
install -m 755 cve-2026-31431-check.sh /usr/lib/nagios/plugins/
# NRPE โ add to /etc/nagios/nrpe.cfg:
command[check_copy_fail]=/usr/lib/nagios/plugins/cve-2026-31431-check.sh --nagios
# CheckMK local check โ /usr/lib/check_mk_agent/local/copy_fail:
#!/bin/bash
OUT=$(/usr/lib/nagios/plugins/cve-2026-31431-check.sh --nagios)
RC=$?
echo "$RC CVE-2026-31431 - $OUT"
```
---
## auditd โ behavioral / runtime detection
Detects an **active exploit attempt** in progress, complementing the static probe.
```bash
cp copy_fail_auditd.rules /etc/audit/rules.d/
augenrules --load
# Watch for unexpected AF_ALG callers:
ausearch -k copy_fail_af_alg --interpret | \
grep -v -E 'cryptsetup|veritysetup|systemd-crypt|kcapi'
```
Wazuh rule stubs (level 13 / 15) are embedded in the `.rules` file comments.
---
## Wazuh SCA
```bash
cp wazuh_sca/copy_fail_sca.yml /var/ossec/etc/shared/default/
/var/ossec/bin/agent_control -r -a # force rescan
```
Results: **Security โ SCA โ Filter by policy `cve_2026_31431_copy_fail`**
---
## Ansible โ fleet scan
```bash
ansible-playbook -i inventory/hosts ansible/copy_fall_scan.yml
# or limit to a subset:
ansible-playbook -i inventory/hosts ansible/copy_fall_scan.yml --limit webservers
```
Writes `per-host JSON` + `summary.txt` to `/tmp/copy_fail_results/` on the
controller. The play exits non-zero if any host is VULNERABLE.
---
## Known limitations
### Vendor backport false positives
Distro kernels backport fixes without changing the upstream version string.
The probe checks `dpkg`/`rpm` package versions but cannot maintain a live lookup
table of all patched package versions per series. A freshly-patched distro kernel
may still show as VULNERABLE based on version alone โ cross-check with your
vendor tracker and confirm that the module is absent or the mitigation is active.
| Distro | Tracker |
|--------|---------|
| Ubuntu | https://ubuntu.com/security/CVE-2026-31431 |
| Debian | https://security-tracker.debian.org/tracker/CVE-2026-31431 |
| RHEL / Alma / Rocky | https://access.redhat.com/security/cve/CVE-2026-31431 |
| Amazon Linux | https://explore.alas.aws.amazon.com/CVE-2026-31431.html |
| SUSE | https://www.suse.com/security/cve/CVE-2026-31431/ |
### RHEL-family built-in module
On RHEL, AlmaLinux, Rocky Linux and derivatives, `algif_aead` is compiled into
the kernel (`CONFIG_CRYPTO_USER_API_AEAD=y`). **The `modprobe.d` workaround has
no effect.** Only `initcall_blacklist=algif_aead_init` on the kernel cmdline works.
The probe detects this condition and warns explicitly.
Apply via grubby:
```bash
grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"
reboot
```
---
## References
- [Copy Fail โ original Xint/Theori write-up](https://xint.io/blog/copy-fail-linux-distributions)
- [CERT-EU Advisory 2026-005](https://cert.europa.eu/publications/security-advisories/2026-005/)
- [Microsoft Defender Blog](https://www.microsoft.com/en-us/security/blog/2026/05/01/cve-2026-31431-copy-fail-vulnerability-enables-linux-root-privilege-escalation/)
- [Sysdig TRT analysis + Falco rule](https://sysdig.com/blog/cve-2026-31431-copy-fail-linux-kernel-flaw-lets-local-users-gain-root-in-seconds)
- [Ubuntu Security Notice](https://ubuntu.com/blog/copy-fail-vulnerability-fixes-available)
- [NVD CVE-2026-31431](https://nvd.nist.gov/vuln/detail/CVE-2026-31431)