Share
## https://sploitus.com/exploit?id=C997D6D5-BF2D-5877-B1C8-4D197BCC17E0
# CVE-2026-31431 "Copy Fail" โ€” Safe Probe Suite

[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
[![CVE](https://img.shields.io/badge/CVE-2026--31431-red)](https://xint.io/blog/copy-fail-linux-distributions)
[![CVSS](https://img.shields.io/badge/CVSS-7.8%20HIGH-orange)](https://nvd.nist.gov/vuln/detail/CVE-2026-31431)
![Shell](https://img.shields.io/badge/shell-bash-89e051)

Safe detection tooling for **CVE-2026-31431 "Copy Fail"** โ€” a local privilege
escalation in the Linux kernel's `algif_aead` module affecting all major
distributions since 2017.

> **This probe opens no `AF_ALG` sockets and performs no crypto operations.**  
> It reads only: `uname -r`, `/proc/cmdline`, `/sys/module/`, `/lib/modules/*/modules.builtin`, `/etc/modprobe.d/`, and distro package metadata.

---

## Background

The exploit requires this exact syscall chain:

```
socket(AF_ALG, SOCK_SEQPACKET, 0)
bind(fd, {alg_type="aead", alg_name="authencesn(hmac(sha256),cbc(aes))"})
accept(fd, ...)
splice(suid_binary_fd, op_fd)   โ† page cache fed into crypto subsystem
sendmsg / recvmsg               โ† 4-byte scratch write lands in page cache
```

None of these are touched by the probe. Detection is based purely on:

1. **Kernel version range** โ€” regression introduced in 4.14 (2017), fixed in 6.18.22 / 6.19.12 / 6.20+
2. **Distro package version** โ€” detects vendor backports via `dpkg`/`rpm`
3. **Module state** โ€” loaded, absent, or built-in
4. **Active mitigations** โ€” `modprobe.d` blacklist and `initcall_blacklist` kernel cmdline flag

---

## Files

```
.
โ”œโ”€โ”€ cve-2026-31431-check.sh          Core probe (all output modes)
โ”œโ”€โ”€ copy_fail_userparameter.conf     Zabbix agent UserParameter config
โ”œโ”€โ”€ zabbix_template_copy_fail.yaml   Zabbix 6.4 template (import via GUI/API)
โ”œโ”€โ”€ copy_fail_auditd.rules           auditd behavioral detection rules
โ”œโ”€โ”€ wazuh_sca/
โ”‚   โ””โ”€โ”€ copy_fail_sca.yml            Wazuh SCA compliance policy
โ””โ”€โ”€ ansible/
    โ””โ”€โ”€ copy_fall_scan.yml           Fleet-wide Ansible scan playbook
```

---

## Quick start

```bash
chmod +x cve-2026-31431-check.sh

./cve-2026-31431-check.sh           # human-readable
./cve-2026-31431-check.sh --json    # machine-readable
./cve-2026-31431-check.sh --nagios  # Nagios/Icinga/NRPE
./cve-2026-31431-check.sh --zabbix  # integer 0/1/2 for Zabbix item
```

**Exit codes:** `0` = PATCHED or MITIGATED ยท `1` = VULNERABLE ยท `2` = UNKNOWN

### Example output

```
โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
  CVE-2026-31431 (Copy Fail) โ€” Vulnerability Probe
โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
  Host        : webserver01.hevra.haifa.ac.il
  Kernel      : 6.8.0-60-generic
  Distro      : ubuntu 24.04

  โ”€โ”€ Kernel version โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
  Status      : vulnerable
  Note        : In vulnerable range (4.14โ€“6.17); check distro package

  โ”€โ”€ Package (vendor backport check) โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
  Check       : found
  Version     : 6.8.0-60.63
  Note        : compare to Ubuntu USN for your series

  โ”€โ”€ Module / mitigation status โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
  Built-in    : false
  Absent      : true
  modprobe.d  : true
  cmdline mit : false
  Effective   : true
  Mit. note   : modprobe.d blacklist present and module not loaded

  โ”€โ”€ Verdict โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
  MITIGATED    modprobe.d blacklist present and module not loaded
โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
```

---

## Zabbix

```bash
# On each monitored host:
mkdir -p /etc/zabbix/scripts
install -m 750 -o zabbix -g zabbix \
    cve-2026-31431-check.sh /etc/zabbix/scripts/

cp copy_fail_userparameter.conf /etc/zabbix/zabbix_agentd.d/
systemctl restart zabbix-agent   # or zabbix-agent2

# Test as the zabbix user:
sudo -u zabbix /etc/zabbix/scripts/cve-2026-31431-check.sh
```

Import `zabbix_template_copy_fail.yaml` via **Configuration โ†’ Templates โ†’ Import**.

The template provides:
- Item `copy_fail.status` (integer, checked hourly) โ€” `0`=safe ยท `1`=vulnerable ยท `2`=unknown
- Item `copy_fail.detail` (string) โ€” human-readable verdict
- **HIGH trigger** when status = 1
- **WARNING trigger** when status = 2

The script needs no `sudo` โ€” every file it reads is world-readable.

---

## Nagios / Icinga / CheckMK / NRPE

```bash
install -m 755 cve-2026-31431-check.sh /usr/lib/nagios/plugins/

# NRPE โ€” add to /etc/nagios/nrpe.cfg:
command[check_copy_fail]=/usr/lib/nagios/plugins/cve-2026-31431-check.sh --nagios

# CheckMK local check โ€” /usr/lib/check_mk_agent/local/copy_fail:
#!/bin/bash
OUT=$(/usr/lib/nagios/plugins/cve-2026-31431-check.sh --nagios)
RC=$?
echo "$RC CVE-2026-31431 - $OUT"
```

---

## auditd โ€” behavioral / runtime detection

Detects an **active exploit attempt** in progress, complementing the static probe.

```bash
cp copy_fail_auditd.rules /etc/audit/rules.d/
augenrules --load

# Watch for unexpected AF_ALG callers:
ausearch -k copy_fail_af_alg --interpret | \
    grep -v -E 'cryptsetup|veritysetup|systemd-crypt|kcapi'
```

Wazuh rule stubs (level 13 / 15) are embedded in the `.rules` file comments.

---

## Wazuh SCA

```bash
cp wazuh_sca/copy_fail_sca.yml /var/ossec/etc/shared/default/
/var/ossec/bin/agent_control -r -a   # force rescan
```

Results: **Security โ†’ SCA โ†’ Filter by policy `cve_2026_31431_copy_fail`**

---

## Ansible โ€” fleet scan

```bash
ansible-playbook -i inventory/hosts ansible/copy_fall_scan.yml
# or limit to a subset:
ansible-playbook -i inventory/hosts ansible/copy_fall_scan.yml --limit webservers
```

Writes `per-host JSON` + `summary.txt` to `/tmp/copy_fail_results/` on the
controller. The play exits non-zero if any host is VULNERABLE.

---

## Known limitations

### Vendor backport false positives
Distro kernels backport fixes without changing the upstream version string.
The probe checks `dpkg`/`rpm` package versions but cannot maintain a live lookup
table of all patched package versions per series. A freshly-patched distro kernel
may still show as VULNERABLE based on version alone โ€” cross-check with your
vendor tracker and confirm that the module is absent or the mitigation is active.

| Distro | Tracker |
|--------|---------|
| Ubuntu | https://ubuntu.com/security/CVE-2026-31431 |
| Debian | https://security-tracker.debian.org/tracker/CVE-2026-31431 |
| RHEL / Alma / Rocky | https://access.redhat.com/security/cve/CVE-2026-31431 |
| Amazon Linux | https://explore.alas.aws.amazon.com/CVE-2026-31431.html |
| SUSE | https://www.suse.com/security/cve/CVE-2026-31431/ |

### RHEL-family built-in module
On RHEL, AlmaLinux, Rocky Linux and derivatives, `algif_aead` is compiled into
the kernel (`CONFIG_CRYPTO_USER_API_AEAD=y`). **The `modprobe.d` workaround has
no effect.** Only `initcall_blacklist=algif_aead_init` on the kernel cmdline works.
The probe detects this condition and warns explicitly.

Apply via grubby:
```bash
grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"
reboot
```

---

## References

- [Copy Fail โ€” original Xint/Theori write-up](https://xint.io/blog/copy-fail-linux-distributions)
- [CERT-EU Advisory 2026-005](https://cert.europa.eu/publications/security-advisories/2026-005/)
- [Microsoft Defender Blog](https://www.microsoft.com/en-us/security/blog/2026/05/01/cve-2026-31431-copy-fail-vulnerability-enables-linux-root-privilege-escalation/)
- [Sysdig TRT analysis + Falco rule](https://sysdig.com/blog/cve-2026-31431-copy-fail-linux-kernel-flaw-lets-local-users-gain-root-in-seconds)
- [Ubuntu Security Notice](https://ubuntu.com/blog/copy-fail-vulnerability-fixes-available)
- [NVD CVE-2026-31431](https://nvd.nist.gov/vuln/detail/CVE-2026-31431)