## https://sploitus.com/exploit?id=D66B94D7-CC01-5808-BD61-78EFDEE47D5E
# copy-fail-cve-2026-31431
Passive detection tooling and technical documentation for **CVE-2026-31431** ("Copy Fail") โ a straight-line Linux LPE and container-escape vulnerability affecting every mainstream Linux distribution shipped since 2017.
> **Passive only.** No exploit code is included. These scripts read kernel version strings, module lists, and configuration โ they do not attempt exploitation.
---
## What is Copy Fail?
A logic flaw in the `authencesn` kernel module's in-place optimization (introduced 2017) allows any unprivileged local user to chain `AF_ALG` AEAD sockets + `splice()` into a **4-byte page-cache write** against any setuid binary (e.g. `/usr/bin/su`), yielding a root shell.
- **CVE:** CVE-2026-31431
- **Disclosed:** 2026-04-29 by [Xint Code](https://code.xint.io/)
- **CVSS:** Critical (LPE, container escape)
- **Affected kernels:** 4.11 (2017) โ distro-specific patch incorporating mainline commit `a664bf3d603d`
- **PoC size:** 732 bytes, Python 3.10+ stdlib only
- **Reliability:** 100% โ no race window, no kernel offsets required
---
## Repository Layout
```
docs/
technical-analysis.md โ Root cause, attack chain, affected versions, timeline
detection-strategies.md โ Passive detection methodology + AI operator prompts
scripts/
check-host.sh โ Single-host passive vulnerability check
aws-scan.sh โ AWS CLI passive scan (EC2, EKS, Lambda)
k8s-scan.sh โ Kubernetes node kernel version scanner
```
An **agent skill** (`copy_fail_scanner.py`) lives in the companion `agents/skills/` directory of the platform repo for AI-assisted analysis.
---
## Quick Start
### Check a single host (run on the target)
```bash
bash scripts/check-host.sh
```
### Scan all EC2 / EKS instances in an AWS account
```bash
# Requires: aws cli v2, SSM agent on instances, appropriate IAM permissions
bash scripts/aws-scan.sh [--region us-east-1] [--profile myprofile]
```
### Scan Kubernetes node pool
```bash
# Requires: kubectl configured with cluster access
bash scripts/k8s-scan.sh [--context my-cluster]
```
---
## Mitigation
**Preferred:** Apply your distro's kernel patch for `a664bf3d603d`.
**Immediate workaround** (does not require reboot):
```bash
echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif.conf
sudo rmmod algif_aead 2>/dev/null || true
```
**Container/untrusted workloads:** Add `AF_ALG` socket creation to seccomp deny-list.
---
## References
- [copy.fail](https://copy.fail/) โ official disclosure site
- [Xint Code blog](https://xint.io/blog/copy-fail-linux-distributions) โ full root cause write-up
- [GitHub issue tracker](https://github.com/theori-io/copy-fail-CVE-2026-31431)
- [Mainline fix commit](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a664bf3d603d) โ `a664bf3d603d`
---
## License
MIT. Use responsibly and only on systems you own or have written authorization to test.