## https://sploitus.com/exploit?id=F8CFB5E6-6897-57F0-A9F4-FAC386382911
# Copy Fail - CVE-2026-31431
This repository contains a small Linux local privilege escalation PoC for
CVE-2026-31431, also known as "Copy Fail".
The exploit targets the Linux kernel `algif_aead` path in the AF_ALG userspace
crypto API. It uses `AF_ALG` plus `splice()` to coerce the kernel into writing
into the page cache of `/usr/bin/su` in 4-byte chunks, then executes `su` after
the page cache has been modified.
## Source Code Overview
The PoC in [`copy_fail_exp.py`](./copy_fail_exp.py) does four things:
1. Opens an `AF_ALG` socket for `aead` with the transform
`authencesn(hmac(sha256),cbc(aes))`.
2. Configures the request with the same `setsockopt()` values used in the
original proof of concept.
3. Uses two `splice()` calls to move data from the target file into the AF_ALG
request path, which is the buggy kernel path.
4. Decompresses a 160-byte embedded payload and writes it into the target file
in 4-byte chunks. The payload is an ELF stub that includes `/bin/sh`.
The `zlib` blob is not random data. It is a compact payload that is meant to
replace the start of `/usr/bin/su` in page cache so the next execution of `su`
spawns a root shell.
## Affected Versions
The vulnerable code was introduced in Linux kernel 4.14-era `algif_aead`
changes and remained present until the upstream fix that reverts the in-place
optimization.
### Broad Scope
- Linux kernels built from 2017 onward that include the vulnerable
`algif_aead` in-place path.
- Most mainstream distributions that shipped kernels in that window and did not
yet backport the fix.
- Systems where the `AF_ALG` crypto API is enabled, which is the default on
most general-purpose Linux distributions.
### Tested / Verified Publicly
| Distribution | Kernel |
| --- | --- |
| Ubuntu 24.04 LTS | `6.17.0-1007-aws` |
| Amazon Linux 2023 | `6.18.8-9.213.amzn2023` |
| RHEL 10.1 | `6.12.0-124.45.1.el10_1` |
| SUSE 16 | `6.12.0-160000.9-default` |
### Upstream Fixed Points
- `6.18.22`
- `6.19.12`
- `7.0`
Downstream LTS branches are safe only after the vendor backport lands in the
kernel package you actually run.
## Reproduction
Use a lab VM or container host you own. Do not run this on production systems.
1. Boot a system with a vulnerable kernel.
2. Confirm that `/usr/bin/su` exists and is setuid-root.
3. Run the PoC:
```bash
python3 copy_fail_exp.py
```
4. If the exploit succeeds, the script patches `/usr/bin/su` and then invokes
`su`. You should end up in a root shell or see a root prompt, depending on
the environment.
## Running
The script has no extra dependencies beyond the Python 3 standard library.
```bash
python3 copy_fail_exp.py
```
If you want to inspect the target first, the script currently defaults to
`/usr/bin/su`.
## Updating The Fix
If you maintain a downstream kernel, the correct fix is to backport the upstream
revert that removes the in-place AEAD optimization:
- Upstream fix commit: `a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5`
- The fix mostly reverts the earlier `72548b093ee3` in-place change.
Recommended workflow for a downstream kernel tree:
```bash
git cherry-pick a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5
make olddefconfig
make -j"$(nproc)"
make modules_install
make install
reboot
```
If you are not rebuilding kernels yourself, install the vendor kernel package
that contains the backport and reboot into it.
### Interim Mitigation
If patching is delayed, disable the module path as a temporary measure:
```bash
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf
rmmod algif_aead 2>/dev/null
```
This is a mitigation, not a fix.
## Notes
- The PoC is intentionally small and deterministic.
- The exploit is local-only, but it is high impact on shared hosts, CI runners,
Kubernetes nodes, and container platforms because the host page cache is
shared.
- The kernel bug is a logic error, not a race condition, so the exploit path is
reliable once the vulnerable code is present.