Share
## https://sploitus.com/exploit?id=ED1B33D4-D755-5DD7-9273-4ECFCBEEA8FC
# CVE-2026-31431 (Copy Fail) Vulnerability Detection Script



## Vulnerability Overview
**CVE-2026-31431 (Copy Fail)** is a Linux kernel local privilege escalation vulnerability. It exploits the **AF_ALG** socket (address family 38) along with the **splice()** zero-copy system call to bypass file write permission and modify the page cache. This allows unauthorized SUID binary files to be modified, thereby gaining root privileges. ### Attack Chain
```
socket(AF_ALG, SOCK_SEQPACKET, 0) # Create an AF_ALG socket
-> bind(authencesn(hmac(sha256),cbc(aes))) # Bind the AEAD encryption template
-> sendmsg(AEAD operation) # Trigger the kernel encryption path
-> splice(-> target file) # Zero-copy writing, bypassing permission checks
-> Modify SUID files like /usr/bin/su # Elevate privileges to root
```
### Affected Kernel Versions
| Kernel Branch | Affected Versions | Fixed Versions |
|--------------|-------------------|---------------|
| mainline / 6.19.x | = 6.19.12 | |
| 6.18.x (stable) | = 6.18.22 | |
| 6.12.x (LTS) | = 6.12.23 | |
| 6.6.x (LTS) | = 6.6.87 | |
| 6.1.x (LTS) | = 6.1.130 | |
| 4.14 ~ = 7.0** | **Fixed** | - |
## Script Functions
- **Vulnerability Detection**: Kernel version determination + algif_aead state analysis + mitigation measures check
- **Intrusion Investigation**: SUID page cache comparison + module loading history + Shell history scan + system file integrity + log audit + container detection
- **Fixing Recommendations**: Three defense methods (modprobe.d / initcall_blacklist / kernel upgrade), with specific commands for each distribution
- **Emergency Response**: Automatically outputs a complete emergency procedure when intrusion signs are detected
## Quick Usage
```bash
# Download the script
wget https://raw.githubusercontent.com/tangjie1/CVE-2026-31431-Check/main/cve-2026-31431-check.sh
# Give execute permissions and run (requires root)
chmod +x cve-2026-31431-check.sh
sudo ./cve-2026-31431-check.sh
# Non-interactive mode (suitable for automation/CI)
sudo ./cve-2026-31431-check.sh --non-interactive
```
## Explanation of Detection Items
### Part 1: Vulnerability Detection [1/3]
| No. | Detection Content | Description |
|----|------------------|------------|
| [1.0] | Affected Version Range | Shows the affected/fixed versions for each branch |
| [1.1] | Kernel Versions | Compared with known affected versions and fixed baselines |
| [1.2] | algif_aead Module Status | Four states: Built-in / Loaded / Available for selective loading / Not Available |
| [1.3] | authencesn Encryption Template | Whether available in /proc/crypto |
| [1.4] | Mitigation Measures | initcall_blacklist + modprobe.d blacklist |
| [1.5] | Comprehensive Judgment | Multi-factor cross-checking for safe/medium/high/critical conclusions |
### Part 2: Intrusion Investigation [2/3]
| No. | Detection Content | Description |
|----|------------------|------------|
| [2.1] | SUID Page Cache Detection | dd direct I/O vs cache hash comparison |
| [2.2] | Module Loading History | dmesg + lsmod loading duration |
| [2.3] | Shell History Scan | Keyword matching in all user’s .bash_history |
| [2.4] | System File Detection | UID=0 abnormal users / passwd & SUID modification times |
| [2.5] | Temporary Directory Scan | /tmp /var/tmp /dev/shm recent 24h suspicious files |
| [2.6] | System Log Audit | su failure records + sudo vulnerability keywords |
| [2.7] | Container Escape Detection | Docker environment + seccomp + /proc/1/root |
### Part 3: Fixing Recommendations [3/3]
| Method | Principle | Requires Restart? | Applicable Scenarios |
|----|----------|-------------|---------------------|
| Method 1 | modprobe.d blacklist + rmmod | No | CONFIG=m (module mode) |
| Method 2 | kernel parameter initcall_blacklist | Yes | CONFIG=y (built-in mode) or deep defense |
| Method 3 | Upgrade kernel to secure version | Yes | Permanent fix (recommended) |
## Compatible Systems
Ubuntu / Debian / Kali / CentOS / RHEL / Rocky / AlmaLinux / Fedora / openSUSE / Arch Linux / Alpine Linux
## License
MIT License
## Disclaimer
This tool is used solely for security research and authorized penetration testing. Users must ensure compliance with local laws and use it on systems that have been properly authorized. The developer does not assume responsibility for any unauthorized use.