Share
## https://sploitus.com/exploit?id=EE9C6FA8-1293-5E82-A679-62D645F2AE75
# CVE-2026-31431 "Copy Fail" โ€” Detection & Patch Scripts

> Linux kernel local privilege escalation via `algif_aead` (AF_ALG).  
> CVSS 7.8 HIGH | Disclosed: April 29, 2026 | Affects all Linux kernels since 2017.

---

## โšก One-Line Usage

> **Note:** Uses `curl -o` download-then-run syntax for maximum compatibility โ€” works on all systems including minimal containers, Docker, and VMs where `/dev/fd` is not available.

### Check if you are vulnerable (run as non-root)
```bash
curl -fsSL https://raw.githubusercontent.com/Mrhudson69/cve-2026-31431/main/check_cve_2026_31431.sh -o check.sh && bash check.sh
```

### Patch the kernel only โ€” safe for production servers (run as root)
```bash
curl -fsSL https://raw.githubusercontent.com/Mrhudson69/cve-2026-31431/main/patch_cve_2026_31431.sh -o patch.sh && sudo bash patch.sh
```

### Patch with scheduled reboot at 2am
```bash
curl -fsSL https://raw.githubusercontent.com/Mrhudson69/cve-2026-31431/main/patch_cve_2026_31431.sh -o patch.sh && sudo bash patch.sh --reboot-at 02:00
```

### Patch and reboot immediately
```bash
curl -fsSL https://raw.githubusercontent.com/Mrhudson69/cve-2026-31431/main/patch_cve_2026_31431.sh -o patch.sh && sudo bash patch.sh --reboot-now
```

### Patch only, no reboot (reboot manually later)
```bash
curl -fsSL https://raw.githubusercontent.com/Mrhudson69/cve-2026-31431/main/patch_cve_2026_31431.sh -o patch.sh && sudo bash patch.sh --no-reboot
```

---

## ๐Ÿ“‹ What is CVE-2026-31431?

A logical flaw in the Linux kernel's `algif_aead` cryptographic interface allows any unprivileged local user to write 4 controlled bytes into the page cache of any readable file โ€” including setuid binaries โ€” to gain root access. The public exploit is a 732-byte Python script using only standard library imports. No compilation, no race condition, no special dependencies.

**Compared to:**
- **Dirty Cow** โ€” required winning a race condition
- **Dirty Pipe** โ€” version-specific
- **Copy Fail** โ€” straight-line logic flaw, deterministic, works on every tested distro

---

## ๐Ÿ–ฅ๏ธ Supported Systems

| OS | Versions | Status |
|---|---|---|
| Ubuntu | 20.04, 22.04, 24.04 | โœ… Supported |
| Ubuntu | 26.04 | Not affected โ€” script exits cleanly |
| Debian | 11 (Bullseye), 12 (Bookworm), 13 (Trixie) | โœ… Supported |
| Proxmox VE | 6.8-pve, 6.14-pve, 6.17-pve kernels | โœ… Supported |

---

## ๐Ÿ“ Scripts

### `check_cve_2026_31431.sh` โ€” Detection only (non-root)

Runs 6 read-only checks and gives a clear PASS / FAIL / INCONCLUSIVE verdict.

| Check | What it tests |
|---|---|
| 1 | Is `algif_aead` module loaded? |
| 2 | Is the modprobe blacklist in place? |
| 3 | Is `initcall_blacklist` set in boot params? |
| 4 | **Live AF_ALG socket test** (actual exploit path attempt) |
| 5 | Is Python3 available? |
| 6 | Is CVE in the kernel package changelog? |

**Makes zero changes to the system.**

---

### `patch_cve_2026_31431.sh` โ€” Kernel-only patch (root)

Surgically upgrades **only the kernel package**. All other packages โ€” including Elasticsearch, Kibana, Nginx, MySQL, MongoDB, Redis, MSSQL, PostgreSQL, Docker โ€” are **pinned on hold** and will not be touched.

**What it does, step by step:**

| Section | Action |
|---|---|
| 1 | Detects OS (Ubuntu / Debian / Proxmox) |
| 2 | Checks if already patched โ€” exits early if safe |
| 3 | Pins critical service packages with `apt-mark hold` |
| 4 | Applies `algif_aead` module blacklist immediately (no reboot needed) |
| 5 | Upgrades kernel package only (`--only-upgrade`) |
| 6 | Verifies CVE patch in package changelog |
| 7 | Confirms all services still running |
| 8 | Interactive reboot scheduling |

**Packages protected from upgrade:**
- Elasticsearch, Kibana, Logstash
- Nginx, Apache
- MySQL, MariaDB, MongoDB, Redis, PostgreSQL
- MSSQL Server
- RabbitMQ, Memcached
- Node.js, PHP, Python3
- Docker

---

## ๐Ÿ”ง Reboot Options

```
--reboot-now        Reboot after 60 seconds (can Ctrl+C to cancel)
--reboot-at HH:MM   Schedule reboot at specific time (24h format)
--no-reboot         No reboot โ€” apply mitigation only, reboot manually
(no flag)           Interactive prompt โ€” asks you what to do
```

---

## ๐Ÿ›ก๏ธ How the immediate mitigation works

The module blacklist (`/etc/modprobe.d/cve-2026-31431.conf`) blocks `algif_aead` from loading. This closes the exploit path immediately without a reboot. It does **not** affect:
- LUKS / dm-crypt
- IPsec / XFRM
- SSH
- OpenSSL / GnuTLS / NSS
- kTLS

A full kernel update + reboot is still required for the permanent fix.

---

## ๐Ÿ“Š Verified Patched Kernel Versions

| Kernel series | Vulnerable up to | Patched at |
|---|---|---|
| Proxmox 6.14-pve | 6.14.11-2-pve | 6.14.11-4-pve โœ… |
| Proxmox 6.17-pve | 6.17.13-2-pve | pending / kernel 7.0 |
| Linux mainline | all < 7.0-rc7 | 7.0-rc7 (commit a664bf3d) |
| Ubuntu kernels | all < patched USN | check `apt changelog` |
| Debian sid/forky | โ€” | 6.19.13+ โœ… |

---

## ๐Ÿ“ Logs

All patch activity is logged to `/var/log/cve_2026_31431_patch.log`

---

## โš ๏ธ Disclaimer

These scripts are provided for **defensive security purposes only**. They perform read-only checks or kernel-only upgrades. No exploit code is included. Always test in a non-production environment first. The authors are not responsible for any system changes โ€” review the scripts before running.

---

## ๐Ÿ“œ License

MIT License โ€” free to use, modify, and distribute with attribution.

---

## ๐Ÿ”— References

- https://copy.fail/ โ€” Official disclosure
- https://xint.io/blog/copy-fail-linux-distributions โ€” Technical write-up
- https://www.tenable.com/blog/copy-fail-cve-2026-31431-frequently-asked-questions-about-linux-kernel-privilege-escalation
- https://ubuntu.com/security/CVE-2026-31431
- https://security-tracker.debian.org/tracker/CVE-2026-31431
- https://git.kernel.org/linus/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5 โ€” Fix commit