Share
## https://sploitus.com/exploit?id=F55719A2-6372-5768-9FB8-72F27C0FE545
# copyfailRecurrence
# Copy Fail (CVE-2026-31431) β Kernel Vulnerability Replay Environment
>This project provides a complete environment for reproducing and debugging kernel vulnerabilities, specifically related to Copy Fail (CVE-2026-31431). It supports dynamic debugging using QEMU + GDB. ---
# π Vulnerability Overview
Copy Fail (CVE-2026-31431) is a local privilege escalation vulnerability in the Linux kernel:
- Affected versions: Linux 4.14 to 6.18 (before fixes)
- Exploitation method: From ordinary user to root
- Type: Logical vulnerability (not a race condition)
- Module affected: `algif_aead` (AF_ALG interface)`
---
# π§ Why Choose 6.6.1?
This project uses Linux **6.6.1**:
- β Part of the 6.6 LTS branch
- β Within the scope of the vulnerabilityβs impact
- β Has the fewest patches, resulting in faster compilation times
- β Cleanest debugging paths
Linux 6.6.1 is an early stable version of the 6.6 series, officially released and maintained by the community. :contentReference[oaicite:0]{index=0}
---
# π§° I. Environmental Requirements
Recommended:
- Ubuntu 20.04 / 22.04 / 24.04 (physical or virtual machine)
- x86_64 CPU
- KVM support
Check availability of `/dev/kvm`:
```bash
ls /dev/kvm
```
---
# π¦ II. Install Dependencies
```bash
sudo apt update
sudo apt install -y build-essential flex bison libncurses-dev libssl-dev libelf-dev qemu-system-x86 qemu-utils wget cpio gdb curl
```
---
# π III. Working Directory
```bash
mkdir -p ~/copyfail-lab
cd ~/copyfail-lab
```
---
# π₯ IV. Download Kernel Source Code from Two Sources
## π Official Source (Recommended)
```bash
wget https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.6.1.tar.xz
```
## π¨π³ Tuna Mirror (Faster in China)
```bash
wget https://mirrors.tuna.tsinghua.edu.cn/kernel/v6.x/linux-6.6.1.tar.xz
```
---
## Unzip the File
```bash
tar -xf linux-6.6.1.tar.xz
cd linux-6.6.1
```
---
# βοΈ V. Configure the Kernel
```bash
make defconfig
make menuconfig
```
---
## Features to Enable:
| Feature | Options |
|---------------|-------------------------------|
| initramfs | `CONFIG_BLK_DEV_INITRD=y` |
| RAM Disk | `CONFIG_BLK_DEV_RAM=y` |
| devtmpfs | `CONFIG_DEVTMPFS=y` |
| Debug Symbols | `CONFIG_DEBUG_INFO=y` |
| Vulnerability Module | `CONFIG_CRYPTO_USER_API_AEAD=y` |
| User Interface | `CONFIG_CRYPTO_USER_API=y` |
---
## Features to Disable:
```bash
CONFIG_RANDOMIZE_BASE=n
```
Or during runtime:
```bash
nokaslr
```
---
# π§ VI. Compile the Kernel
```bash
make olddefconfig
make -j$(nproc)
```
---
## Output Files:
* `vmlinux` (for GDB use)
* `bzImage` (for QEMU booting)
---
# π¦ VII. Build the Rootfs (BusyBox)
## Download
```bash
cd ~/copyfail-lab
wget https://busybox.net/downloads/busybox-1.37.0.tar.bz2
tar -xf busybox-1.37.0.tar.bz2
cd busybox-1.37.0
make menuconfig
```
## Compile
```bash
make -j$(nproc)
make install
```
---
## Initialize the Rootfs
```bash
cd _install
mkdir -p proc sys dev etc/init.d
ln -sf bin/busybox init
```
---
## Device Nodes
```bash
sudo mknod -m 666 dev/console c 5 1
sudo mknod -m 666 dev/null c 1 3
```
---
## Boot Script
```bash
cat > etc/init.d/rcS rootfs.cpio.gz
```
---
# π VIII. Start QEMU
## Create Script
```bash
cd ~/copyfail-lab/linux-6.6.1
cat > run.sh busybox
chmod 600 run.sh
```
---
## Issues with GDB Breakpoints
Solution:
```gdb
hbreak
```
---
## Slow Compilation
Optimization tips:
- Use `-j$(nproc)`
- Simplify configuration
- Disable DEBUG_INFO if not debugging