## https://sploitus.com/exploit?id=EDE231EF-A724-5260-A469-24666E74A2EF
# CVE-2026-31431 Exploit Toolkit
A comprehensive toolkit for detecting and exploiting the Linux kernel page cache corruption vulnerability in the `algif_aead` crypto subsystem.
## โ ๏ธ Legal Notice
**For authorized testing only.** Use only on systems you own or have explicit permission to test. This toolkit performs real privilege escalation and unauthorized use may violate local laws.
## ๐ฏ Vulnerability Overview
The CVE-2026-31431 vulnerability stems from a design flaw in the Linux kernel's crypto API where AEAD (Authenticated Encryption with Associated Data) operations run in-place. When data is spliced from a file into a crypto operation, the kernel's page cache pages become writable, allowing an attacker to corrupt memory-mapped file contents without touching the actual files on disk.
**Technical Details:**
- **Affected Component**: `algif_aead` with `authencesn(hmac(sha256),cbc(aes))` algorithm
- **Attack Vector**: Local privilege escalation via page cache corruption
- **Impact**: Unprivileged users can gain root access
- **Persistence**: Changes are in-memory only; cleared on reboot
## ๐ Toolkit Components
| Script | Purpose | Risk Level |
|--------|---------|------------|
| `test_cve_2026_31431.py` | Vulnerability detection (safe) | ๐ข Low |
| `exploit_cve_2026_31431.py` | Privilege escalation exploit | ๐ด High |
Both tools require Python 3.10+ and use only standard library modules.
## ๐ Quick Start
```bash
# Step 1: Check if system is vulnerable
python3 test_cve_2026_31431.py
# Step 2: If vulnerable, gain root access
python3 exploit_cve_2026_31431.py --shell
```
**Exit Codes:**
- `0` = Not vulnerable / test passed
- `1` = Error during testing
- `2` = System is vulnerable
## ๐ Vulnerability Detection
The detector performs a safe, non-destructive test:
1. **System Check**: Verifies `AF_ALG` socket availability and crypto algorithm support
2. **Test Environment**: Creates temporary file with known data pattern
3. **Exploit Attempt**: Triggers the page cache corruption vulnerability
4. **Analysis**: Checks if our marker bytes appeared in the cached file data
```bash
python3 test_cve_2026_31431.py
```
**Possible Results:**
- โ `System requirements not met` - Kernel is patched or lacks required features
- โ ๏ธ `SYSTEM VULNERABLE` - Vulnerability confirmed, exploit possible
- โ ๏ธ `Page cache corruption detected` - Partial vulnerability, still exploitable
- โ `No page cache corruption detected` - System is secure
## ๐ป Privilege Escalation
The exploit targets `/etc/passwd` to modify a user's UID field in memory:
```bash
# Test mode (no shell)
python3 exploit_cve_2026_31431.py
# Full exploit (gets root shell)
python3 exploit_cve_2026_31431.py --shell
```
**Exploit Process:**
1. **Target Selection**: Finds current user's UID field in `/etc/passwd`
2. **Memory Corruption**: Changes UID to "0000" in page cache only
3. **Verification**: Confirms system libraries see UID 0
4. **Privilege Escalation**: Uses `su` with user's real password to get root shell
**Requirements:**
- User must have 4-digit UID (1000-9999)
- No NSS caching daemon masking `/etc/passwd` reads
- Sufficient memory to keep page cache active
## ๐ก๏ธ System Recovery
The exploit only modifies kernel memory, not disk files. To restore normal operation:
### Automatic Recovery (Test Mode)
The detector automatically cleans up page cache on exit.
### Manual Recovery
```bash
# Method 1: Clear page cache (requires root)
echo 3 > /proc/sys/vm/drop_caches
# Method 2: Evict specific file (unprivileged)
python3 -c "
import os
fd = os.open('/etc/passwd', os.O_RDONLY)
os.posix_fadvise(fd, 0, 0, os.POSIX_FADV_DONTNEED)
os.close(fd)
"
# Method 3: Reboot system
sudo reboot
```
## ๐ง Mitigation Strategies
### Temporary Mitigation
Disable the vulnerable crypto module:
```bash
# Block module loading
echo 'install algif_aead /bin/false' | sudo tee /etc/modprobe.d/disable-algif-aead.conf
# Unload if already loaded
sudo rmmod algif_aead 2>/dev/null
```
### Permanent Fix
Update to a kernel version that includes the upstream security patch. The fix changes AEAD operations to run out-of-place, preventing page cache pages from becoming writable.
## ๐ฏ Affected Systems
**Confirmed Vulnerable:**
- Ubuntu 24.04 LTS
- Amazon Linux 2023
- RHEL 9.3
- SUSE Linux Enterprise 15
**Likely Affected:**
- Any system with kernel containing commit `72548b093ee3` (2017+) without the revert
- Most modern Linux distributions with default crypto modules
**Check Your System:**
```bash
uname -r
python3 test_cve_2026_31431.py
```
## ๐ฌ Technical Deep Dive
### The `write4` Primitive
The core exploit technique writes exactly 4 bytes to any readable file's page cache:
```
1. sendmsg([AAD_data], control_messages, MSG_MORE)
2. splice(file_fd, pipe_fd, 32, offset_src=target_offset)
3. splice(pipe_fd, crypto_fd, 32)
4. recv(crypto_fd) # Triggers vulnerability
```
**Key Points:**
- AAD bytes 4-7 (sequence number) get copied to destination
- Destination = page cache page from splice operation
- Offset within page matches splice offset
- Only 4 bytes can be written per operation
### Attack Surface Analysis
The vulnerability affects any world-readable file that system processes read:
- `/etc/passwd` - User database (primary target)
- `/usr/bin/su` - Setuid binary (alternative target)
- Configuration files read by privileged processes
- Library files loaded by system services
## ๐ License
This project is provided for educational and authorized security testing purposes. Users are responsible for complying with applicable laws and regulations.
---
**โ ๏ธ Remember**: With great power comes great responsibility. Use these tools ethically and only on systems you're authorized to test.