Share
## https://sploitus.com/exploit?id=D66B94D7-CC01-5808-BD61-78EFDEE47D5E
# copy-fail-cve-2026-31431

Passive detection tooling and technical documentation for **CVE-2026-31431** ("Copy Fail") โ€” a straight-line Linux LPE and container-escape vulnerability affecting every mainstream Linux distribution shipped since 2017.

> **Passive only.** No exploit code is included. These scripts read kernel version strings, module lists, and configuration โ€” they do not attempt exploitation.

---

## What is Copy Fail?

A logic flaw in the `authencesn` kernel module's in-place optimization (introduced 2017) allows any unprivileged local user to chain `AF_ALG` AEAD sockets + `splice()` into a **4-byte page-cache write** against any setuid binary (e.g. `/usr/bin/su`), yielding a root shell.

- **CVE:** CVE-2026-31431
- **Disclosed:** 2026-04-29 by [Xint Code](https://code.xint.io/)
- **CVSS:** Critical (LPE, container escape)
- **Affected kernels:** 4.11 (2017) โ†’ distro-specific patch incorporating mainline commit `a664bf3d603d`
- **PoC size:** 732 bytes, Python 3.10+ stdlib only
- **Reliability:** 100% โ€” no race window, no kernel offsets required

---

## Repository Layout

```
docs/
  technical-analysis.md     โ€” Root cause, attack chain, affected versions, timeline
  detection-strategies.md   โ€” Passive detection methodology + AI operator prompts

scripts/
  check-host.sh             โ€” Single-host passive vulnerability check
  aws-scan.sh               โ€” AWS CLI passive scan (EC2, EKS, Lambda)
  k8s-scan.sh               โ€” Kubernetes node kernel version scanner
```

An **agent skill** (`copy_fail_scanner.py`) lives in the companion `agents/skills/` directory of the platform repo for AI-assisted analysis.

---

## Quick Start

### Check a single host (run on the target)
```bash
bash scripts/check-host.sh
```

### Scan all EC2 / EKS instances in an AWS account
```bash
# Requires: aws cli v2, SSM agent on instances, appropriate IAM permissions
bash scripts/aws-scan.sh [--region us-east-1] [--profile myprofile]
```

### Scan Kubernetes node pool
```bash
# Requires: kubectl configured with cluster access
bash scripts/k8s-scan.sh [--context my-cluster]
```

---

## Mitigation

**Preferred:** Apply your distro's kernel patch for `a664bf3d603d`.

**Immediate workaround** (does not require reboot):
```bash
echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif.conf
sudo rmmod algif_aead 2>/dev/null || true
```

**Container/untrusted workloads:** Add `AF_ALG` socket creation to seccomp deny-list.

---

## References

- [copy.fail](https://copy.fail/) โ€” official disclosure site
- [Xint Code blog](https://xint.io/blog/copy-fail-linux-distributions) โ€” full root cause write-up
- [GitHub issue tracker](https://github.com/theori-io/copy-fail-CVE-2026-31431)
- [Mainline fix commit](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a664bf3d603d) โ€” `a664bf3d603d`

---

## License

MIT. Use responsibly and only on systems you own or have written authorization to test.