Share
## https://sploitus.com/exploit?id=FCD4859C-0283-5E73-8890-5961D454FB63
# Copy Fail · CVE-2026-31431

Local privilege escalation on Linux kernels from 4.11 up to (but not including) the patched 6.18 releases.  
The bug lives in the kernel's AF_ALG socket interface—specifically how `authencesn` handles scatter-gather lists during in‑place AEAD decryption. The result: an unprivileged user can overwrite 4 bytes at a time in _any readable file's page cache_.

Overwrite a setuid binary like `/usr/bin/su` with shellcode, run it, and you're root. No race, no kernel symbols, no recompilation. The same 172‑byte AArch64 payload (or 160 for x86‑64, 126 for i386, 138 for ARMv7) works across distributions.

The vulnerability was discovered by **Taeyang Lee & Theori / Xint Code** and published on 29 April 2026. This repository is an independent, class‑based reimplementation meant for authorised testing.

## Demo

| Checking Vulnerability | Exploiting and getting root |
| :---: | :---: |
| ![Checking Vulnerability](1.png) | ![Exploiting and getting root](2.png) |

## Why it's different from Dirty Cow / Dirty Pipe

- **No race.** One shot, deterministic.
- **No kernel‑specific offsets.** The script doesn't care about your distribution.
- **Container escape possible.** Page cache is shared with the host; a container with `allowPrivilegeEscalation: true` (the Kubernetes default) can break out.

## Affected systems

Anything running a kernel between 4.11 and roughly 6.17.x, which includes:

- Ubuntu 24.04 LTS (shipped with 6.17.x)
- Amazon Linux 2023 (pre‑patch 6.18.x)
- RHEL 10.1, SUSE 16 (6.12.x)
- Debian Trixie before the security update (6.12.85+deb13 fixed it)

Patched kernels: mainline ≥ 6.18.22 / 6.19.12 / 7.0, plus backports to stable trees.

## Quick start

```bash
# Check if the system is vulnerable
python3 exploit.py --check

# Run the exploit (non‑root user required)
python3 exploit.py
```

## Requirements

- Python 3.6+ (native `os.splice` from 3.10)
- Kernel with AF_ALG + `authencesn(hmac(sha256),cbc(aes))` support
- A setuid‑root binary (`/usr/bin/su` is the default; use `--scan` to find alternatives)

If the check complains about the algorithm, load the needed modules:

```bash
sudo modprobe algif_aead authencesn hmac cbc
```

Some distributions ship a temporary block (`/etc/modprobe.d/disable-algif_aead.conf`). The script removes it automatically when run as root, or you can delete it by hand.

## Mitigation

**Permanent:** Update your kernel. On Ubuntu/Debian:

```bash
sudo apt update && sudo apt upgrade linux-image-generic
```

**Workaround (does not affect IPsec/XFRM):**

```bash
echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif-aead.conf
sudo rmmod algif_aead 2>/dev/null
```

> **Note:** IPsec/XFRM is **not** affected by this block because it uses the kernel crypto API directly, not AF_ALG.

**Containers:**

The primary mitigation is blocking the AF_ALG socket with a seccomp profile. Additionally, set `allowPrivilegeEscalation: false` in your pod security context to enable `no_new_privs`, which stops the kernel from honouring setuid bits on `execve()`.

## References

- [Official site — copy.fail](https://copy.fail)
- [Technical write‑up — Xint.io](https://xint.io/blog/copy-fail-linux-distributions)
- [Original PoC — theori-io](https://github.com/theori-io/copy-fail-CVE-2026-31431)
- [Kernel fix commit](https://github.com/torvalds/linux/commit/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5)
- [CVE entry — NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-31431)
- [oss-security disclosure](https://www.openwall.com/lists/oss-security/2026/04/29/1)

## Credits

- **Taeyang Lee & Theori / Xint Code** – vulnerability discovery and original PoC
- **ZephrFish** – multi‑arch shellcode extensions
- **This repo** – independent OOP reimplementation, auto workaround removal, system scanning, testing, and documentation

## Disclaimer

This tool is for educational and authorised security testing. Don't run it on systems you don't own or have written permission to test.