Share
## https://sploitus.com/exploit?id=F8CFB5E6-6897-57F0-A9F4-FAC386382911
# Copy Fail - CVE-2026-31431

This repository contains a small Linux local privilege escalation PoC for
CVE-2026-31431, also known as "Copy Fail".

The exploit targets the Linux kernel `algif_aead` path in the AF_ALG userspace
crypto API. It uses `AF_ALG` plus `splice()` to coerce the kernel into writing
into the page cache of `/usr/bin/su` in 4-byte chunks, then executes `su` after
the page cache has been modified.

## Source Code Overview

The PoC in [`copy_fail_exp.py`](./copy_fail_exp.py) does four things:

1. Opens an `AF_ALG` socket for `aead` with the transform
   `authencesn(hmac(sha256),cbc(aes))`.
2. Configures the request with the same `setsockopt()` values used in the
   original proof of concept.
3. Uses two `splice()` calls to move data from the target file into the AF_ALG
   request path, which is the buggy kernel path.
4. Decompresses a 160-byte embedded payload and writes it into the target file
   in 4-byte chunks. The payload is an ELF stub that includes `/bin/sh`.

The `zlib` blob is not random data. It is a compact payload that is meant to
replace the start of `/usr/bin/su` in page cache so the next execution of `su`
spawns a root shell.

## Affected Versions

The vulnerable code was introduced in Linux kernel 4.14-era `algif_aead`
changes and remained present until the upstream fix that reverts the in-place
optimization.

### Broad Scope

- Linux kernels built from 2017 onward that include the vulnerable
  `algif_aead` in-place path.
- Most mainstream distributions that shipped kernels in that window and did not
  yet backport the fix.
- Systems where the `AF_ALG` crypto API is enabled, which is the default on
  most general-purpose Linux distributions.

### Tested / Verified Publicly

| Distribution | Kernel |
| --- | --- |
| Ubuntu 24.04 LTS | `6.17.0-1007-aws` |
| Amazon Linux 2023 | `6.18.8-9.213.amzn2023` |
| RHEL 10.1 | `6.12.0-124.45.1.el10_1` |
| SUSE 16 | `6.12.0-160000.9-default` |

### Upstream Fixed Points

- `6.18.22`
- `6.19.12`
- `7.0`

Downstream LTS branches are safe only after the vendor backport lands in the
kernel package you actually run.

## Reproduction

Use a lab VM or container host you own. Do not run this on production systems.

1. Boot a system with a vulnerable kernel.
2. Confirm that `/usr/bin/su` exists and is setuid-root.
3. Run the PoC:

```bash
python3 copy_fail_exp.py
```

4. If the exploit succeeds, the script patches `/usr/bin/su` and then invokes
   `su`. You should end up in a root shell or see a root prompt, depending on
   the environment.

## Running

The script has no extra dependencies beyond the Python 3 standard library.

```bash
python3 copy_fail_exp.py
```

If you want to inspect the target first, the script currently defaults to
`/usr/bin/su`.

## Updating The Fix

If you maintain a downstream kernel, the correct fix is to backport the upstream
revert that removes the in-place AEAD optimization:

- Upstream fix commit: `a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5`
- The fix mostly reverts the earlier `72548b093ee3` in-place change.

Recommended workflow for a downstream kernel tree:

```bash
git cherry-pick a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5
make olddefconfig
make -j"$(nproc)"
make modules_install
make install
reboot
```

If you are not rebuilding kernels yourself, install the vendor kernel package
that contains the backport and reboot into it.

### Interim Mitigation

If patching is delayed, disable the module path as a temporary measure:

```bash
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf
rmmod algif_aead 2>/dev/null
```

This is a mitigation, not a fix.

## Notes

- The PoC is intentionally small and deterministic.
- The exploit is local-only, but it is high impact on shared hosts, CI runners,
  Kubernetes nodes, and container platforms because the host page cache is
  shared.
- The kernel bug is a logic error, not a race condition, so the exploit path is
  reliable once the vulnerable code is present.