Share
## https://sploitus.com/exploit?id=D4D440A6-5810-5983-B033-FC8382A82096
# Copy Fail (CVE-2026-31431) - Comprehensive Writeup

## 1. Vulnerability Overview
- **Vulnerability Name:** Copy Fail
- **CVE Identifier:** CVE-2026-31431
- **Discovered By / Authors:** Xint Code Research Team (building upon initial foundational research by Theori researcher Taeyang Lee).

"Copy Fail" is a critical logic vulnerability in the Linux kernel's `authencesn` cryptographic template. It allows an unprivileged local user to trigger a deterministic, controlled 4-byte write into the page cache of any readable file on the system. By targeting setuid binaries (such as `/usr/bin/su`), an attacker can edit the in-memory execution cache to escalate privileges to **Root (UID 0)**.

Unlike older vulnerabilities like "Dirty Cow" or "Dirty Pipe," Copy Fail is a straight-line logic flaw that triggers without race conditions, retries, or crash-prone timing windows. It is highly portable and stealthy, as it only modifies the in-memory page cache while leaving the on-disk file completely unchanged, bypassing standard file integrity monitoring tools.

## 2. Root Cause Analysis
The vulnerability exists at the intersection of three distinct kernel components:

1. **AF_ALG & In-Place AEAD:** AF_ALG is a socket type that exposes the kernel's cryptographic subsystem to userspace. In 2017, an optimization was added to perform AEAD operations *in-place*, meaning the same scatterlist serves as both input and output for the crypto algorithm.
2. **The `splice()` System Call:** The `splice()` syscall transfers data between file descriptors and pipes without copying, passing *page cache pages* by reference. When a user splices a file (like `/usr/bin/su`) into an AF_ALG socket, the socket's input scatterlist holds direct references to the kernel's cached pages of that file.
3. **`authencesn` Scratch Write:** The `authencesn` algorithm (used for IPsec Extended Sequence Numbers) requires rearranging bytes. To do this, it temporarily writes 4 bytes of sequence numbers into the output buffer as "scratch space". However, it writes *past* the legitimate output boundary.

Because of the 2017 in-place optimization, the output scatterlist contains the read-only page cache pages passed by `splice()`. When `authencesn` writes past the output boundary, it directly overwrites 4 bytes within the cached kernel memory of the target file.

## 3. Exploitation Mechanism
An attacker can exploit this by following these steps:
1. **Socket Setup:** Open an unprivileged `AF_ALG` socket and bind to `authencesn(hmac(sha256),cbc(aes))`.
2. **Construct the Write:** Send a crafted `sendmsg()` with an Associated Authenticated Data (AAD) payload containing the 4 bytes they wish to write.
3. **Splice Target:** Use `splice()` to pipe the target file (`/usr/bin/su`) into the socket. The offset and length define exactly *where* in the page cache the 4 bytes will be written.
4. **Trigger Decryption:** Calling `recv()` triggers the decrypt operation, executing the out-of-bounds scratch write directly into the target file's page cache.
5. **Execute:** Run the target binary (e.g., `execve("/usr/bin/su")`). The kernel executes the tampered page cache version containing the injected malicious shellcode, granting root access.

## 4. Mitigation and Remediation

### Temporary Workaround
If patching or rebooting the kernel is not immediately possible, you can mitigate this vulnerability by blacklisting all related `af_alg` modules and unloading them from memory.

To block these modules, execute the following commands:

```bash
# 1. Unload the modules from memory if they are currently loaded
sudo modprobe -r algif_hash algif_skcipher algif_aead algif_rng af_alg

# 2. Add the modules to the blacklist
echo -e "blacklist af_alg\nblacklist algif_hash\nblacklist algif_skcipher\nblacklist algif_aead\nblacklist algif_rng" | sudo tee /etc/modprobe.d/stop-exploit.conf

# 3. Prevent the af_alg module from being loaded completely
echo "install af_alg /bin/true" | sudo tee -a /etc/modprobe.d/stop-exploit.conf

# 4. Reboot the system to ensure the changes take full effect
sudo reboot
```

### Permanent Fix
The Linux kernel security team has patched this vulnerability (Commit: `a664bf3d603d`). The patch reverts the AF_ALG AEAD operations to an out-of-place model, separating the source and destination scatterlists. This prevents the page cache pages from being exposed to the writable destination scatterlist.

**Action Required:** Update your distribution's kernel to the latest version provided by your vendor (Ubuntu, Amazon Linux, RHEL, SUSE, etc.) and reboot your system.