## https://sploitus.com/exploit?id=F74351A7-0BCB-5D5B-9E96-ADA001C0347A
# CVE-2026-31431 LPE PoC (Rust Implementation)
This project is a Proof of Concept (PoC) implemented in Rust for a local privilege escalation (LPE) vulnerability (simulating CVE-2026-31431). It demonstrates how to manipulate the Linux kernel page cache by exploiting the Crypto API.[cite: 1, 2]
> [!CAUTION]
> This code is for educational and ethical security research purposes only. Unauthorized use of this tool against systems without prior explicit consent is illegal. The author assumes no liability for any misuse or damage caused by this program.
## Overview
The tool exploits a vulnerability related to the `AF_ALG` (kernel crypto interface) and the `splice` system call.[cite: 2] It allows an unprivileged user to overwrite 4 bytes of the page cache for a read-only file—specifically targeting the UID field in `/etc/passwd` to temporarily change it to `0000` (root).[cite: 1, 2]
## How It Works
* **Target Identification**: The program parses `main.rs` to find the exact file offset of the current user's UID within `/etc/passwd`.[cite: 1, 2]
* **Page Cache Warming**: It reads the target file to ensure the relevant page is loaded into the kernel page cache.[cite: 2]
* **Memory Manipulation**:
* It initializes a socket using `AF_ALG` with the `authencesn(hmac(sha256),cbc(aes))` algorithm.[cite: 2]
* By carefully crafting the `setsockopt` parameters and using `splice`, it redirects file data through the crypto pipeline.[cite: 2]
* The vulnerability allows the "decryption" process to overwrite the original page cache data with the desired 4 bytes (`0000`).[cite: 2]
* **Privilege Escalation**:
* If the `--shell` flag is provided, it executes `su `, which succeeds because the system now sees the user's UID as `0` in the cached `/etc/passwd`.[cite: 1]
* Otherwise, it evicts the corrupted page cache using `POSIX_FADV_DONTNEED` to restore system integrity.[cite: 1]
## Prerequisites
* **OS**: Linux (specifically versions vulnerable to this Crypto API behavior).
* **Language**: Rust (Edition 2024).[cite: 3]
* **Dependencies**: `libc` and `nix` (with `fs`, `socket`, `zerocopy`, and `user` features).[cite: 3]
## Usage
### Build
```bash
cargo build --release
```
### Execution
**Test page cache patching without spawning a shell:**
```bash
./target/release/cve-2026-31431
```
**Attempt to escalate to a root shell:**
```bash
./target/release/cve-2026-31431 --shell
```
## Project Structure
* `main.rs`: Orchestrates the attack, handles CLI arguments, and executes the final shell command.[cite: 1]
* `modules.rs`: Contains the core exploitation logic, including `AF_ALG` socket manipulation and UID offset searching.[cite: 2]
* `Cargo.toml`: Defines the project metadata and external crate dependencies.[cite: 3]
## Technical References
* **Files involved**: `main.rs`, `modules.rs`, `Cargo.toml`[cite: 1, 2, 3]
* **Key System Calls**: `socket`, `bind`, `sendmsg`, `splice`, `posix_fadvise`.[cite: 1, 2]
```