## https://sploitus.com/exploit?id=EE9C6FA8-1293-5E82-A679-62D645F2AE75
# CVE-2026-31431 "Copy Fail" โ Detection & Patch Scripts
> Linux kernel local privilege escalation via `algif_aead` (AF_ALG).
> CVSS 7.8 HIGH | Disclosed: April 29, 2026 | Affects all Linux kernels since 2017.
---
## โก One-Line Usage
> **Note:** Uses `curl -o` download-then-run syntax for maximum compatibility โ works on all systems including minimal containers, Docker, and VMs where `/dev/fd` is not available.
### Check if you are vulnerable (run as non-root)
```bash
curl -fsSL https://raw.githubusercontent.com/Mrhudson69/cve-2026-31431/main/check_cve_2026_31431.sh -o check.sh && bash check.sh
```
### Patch the kernel only โ safe for production servers (run as root)
```bash
curl -fsSL https://raw.githubusercontent.com/Mrhudson69/cve-2026-31431/main/patch_cve_2026_31431.sh -o patch.sh && sudo bash patch.sh
```
### Patch with scheduled reboot at 2am
```bash
curl -fsSL https://raw.githubusercontent.com/Mrhudson69/cve-2026-31431/main/patch_cve_2026_31431.sh -o patch.sh && sudo bash patch.sh --reboot-at 02:00
```
### Patch and reboot immediately
```bash
curl -fsSL https://raw.githubusercontent.com/Mrhudson69/cve-2026-31431/main/patch_cve_2026_31431.sh -o patch.sh && sudo bash patch.sh --reboot-now
```
### Patch only, no reboot (reboot manually later)
```bash
curl -fsSL https://raw.githubusercontent.com/Mrhudson69/cve-2026-31431/main/patch_cve_2026_31431.sh -o patch.sh && sudo bash patch.sh --no-reboot
```
---
## ๐ What is CVE-2026-31431?
A logical flaw in the Linux kernel's `algif_aead` cryptographic interface allows any unprivileged local user to write 4 controlled bytes into the page cache of any readable file โ including setuid binaries โ to gain root access. The public exploit is a 732-byte Python script using only standard library imports. No compilation, no race condition, no special dependencies.
**Compared to:**
- **Dirty Cow** โ required winning a race condition
- **Dirty Pipe** โ version-specific
- **Copy Fail** โ straight-line logic flaw, deterministic, works on every tested distro
---
## ๐ฅ๏ธ Supported Systems
| OS | Versions | Status |
|---|---|---|
| Ubuntu | 20.04, 22.04, 24.04 | โ Supported |
| Ubuntu | 26.04 | Not affected โ script exits cleanly |
| Debian | 11 (Bullseye), 12 (Bookworm), 13 (Trixie) | โ Supported |
| Proxmox VE | 6.8-pve, 6.14-pve, 6.17-pve kernels | โ Supported |
---
## ๐ Scripts
### `check_cve_2026_31431.sh` โ Detection only (non-root)
Runs 6 read-only checks and gives a clear PASS / FAIL / INCONCLUSIVE verdict.
| Check | What it tests |
|---|---|
| 1 | Is `algif_aead` module loaded? |
| 2 | Is the modprobe blacklist in place? |
| 3 | Is `initcall_blacklist` set in boot params? |
| 4 | **Live AF_ALG socket test** (actual exploit path attempt) |
| 5 | Is Python3 available? |
| 6 | Is CVE in the kernel package changelog? |
**Makes zero changes to the system.**
---
### `patch_cve_2026_31431.sh` โ Kernel-only patch (root)
Surgically upgrades **only the kernel package**. All other packages โ including Elasticsearch, Kibana, Nginx, MySQL, MongoDB, Redis, MSSQL, PostgreSQL, Docker โ are **pinned on hold** and will not be touched.
**What it does, step by step:**
| Section | Action |
|---|---|
| 1 | Detects OS (Ubuntu / Debian / Proxmox) |
| 2 | Checks if already patched โ exits early if safe |
| 3 | Pins critical service packages with `apt-mark hold` |
| 4 | Applies `algif_aead` module blacklist immediately (no reboot needed) |
| 5 | Upgrades kernel package only (`--only-upgrade`) |
| 6 | Verifies CVE patch in package changelog |
| 7 | Confirms all services still running |
| 8 | Interactive reboot scheduling |
**Packages protected from upgrade:**
- Elasticsearch, Kibana, Logstash
- Nginx, Apache
- MySQL, MariaDB, MongoDB, Redis, PostgreSQL
- MSSQL Server
- RabbitMQ, Memcached
- Node.js, PHP, Python3
- Docker
---
## ๐ง Reboot Options
```
--reboot-now Reboot after 60 seconds (can Ctrl+C to cancel)
--reboot-at HH:MM Schedule reboot at specific time (24h format)
--no-reboot No reboot โ apply mitigation only, reboot manually
(no flag) Interactive prompt โ asks you what to do
```
---
## ๐ก๏ธ How the immediate mitigation works
The module blacklist (`/etc/modprobe.d/cve-2026-31431.conf`) blocks `algif_aead` from loading. This closes the exploit path immediately without a reboot. It does **not** affect:
- LUKS / dm-crypt
- IPsec / XFRM
- SSH
- OpenSSL / GnuTLS / NSS
- kTLS
A full kernel update + reboot is still required for the permanent fix.
---
## ๐ Verified Patched Kernel Versions
| Kernel series | Vulnerable up to | Patched at |
|---|---|---|
| Proxmox 6.14-pve | 6.14.11-2-pve | 6.14.11-4-pve โ |
| Proxmox 6.17-pve | 6.17.13-2-pve | pending / kernel 7.0 |
| Linux mainline | all < 7.0-rc7 | 7.0-rc7 (commit a664bf3d) |
| Ubuntu kernels | all < patched USN | check `apt changelog` |
| Debian sid/forky | โ | 6.19.13+ โ |
---
## ๐ Logs
All patch activity is logged to `/var/log/cve_2026_31431_patch.log`
---
## โ ๏ธ Disclaimer
These scripts are provided for **defensive security purposes only**. They perform read-only checks or kernel-only upgrades. No exploit code is included. Always test in a non-production environment first. The authors are not responsible for any system changes โ review the scripts before running.
---
## ๐ License
MIT License โ free to use, modify, and distribute with attribution.
---
## ๐ References
- https://copy.fail/ โ Official disclosure
- https://xint.io/blog/copy-fail-linux-distributions โ Technical write-up
- https://www.tenable.com/blog/copy-fail-cve-2026-31431-frequently-asked-questions-about-linux-kernel-privilege-escalation
- https://ubuntu.com/security/CVE-2026-31431
- https://security-tracker.debian.org/tracker/CVE-2026-31431
- https://git.kernel.org/linus/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5 โ Fix commit