Listen to this Post

Introduction:
A deterministic logic flaw silently introduced into the Linux kernel in 2017 has just been publicly disclosed as “Copy Fail” (CVE-2026-31431). Attackers with access to any low‑privilege account on virtually every distribution released in the past nine years can reliably gain full root access using a trivial 732‑byte Python script.
Learning Objectives:
- Understand how the kernel’s AF_ALG crypto interface, the `splice()` syscall, and the `authencesn` template combine into a page‑cache write primitive.
- Learn to detect systems vulnerable to CVE-2026-31431 using non‑destructive scripted tests.
- Apply immediate mitigation steps (blacklisting the vulnerable module) and permanent kernel patching procedures.
You Should Know:
- How a “Copy Fail” Turns a Readable File into a Root Shell
The bug stems from a 2017 in‑place performance optimisation in `algif_aead.c` (commit 72548b093ee3). It allows unprivileged users to write four controlled bytes into the page cache of any readable file, including setuid binaries such as /usr/bin/su. The corruption never touches the disk, bypassing integrity tools and leaving no persistent forensic trace.
The technique chains three normal‑looking operations:
1. Open AF_ALG socket – `socket(AF_ALG, SOCK_SEQPACKET, 0)`.
- Splice file data – `splice()` feeds page‑cache pages into the crypto socket’s RX buffer.
- Trigger the scratch write – `sendmsg()` supplies an `authencesn` request; the kernel writes four bytes (the AAD’s sequence‑number low field) into the spliced page‑cache page.
The official Proof‑of‑Concept (PoC) script from Theori (now mirrored in multiple public repositories) performs all three steps within 732 bytes of pure Python 3 standard library code. The same unmodified script works on Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL, and SUSE 16, and is even effective across container boundaries because the page cache is shared between a host and its containers.
- Step‑by‑Step Guide to Detecting CVE-2026-31431 Without Breaking Production
Before applying any mitigation, assess whether your environment is vulnerable. Use the non‑destructive detector script from `rootsecdev` – it operates on a temporary sentinel file and never touches system binaries.
Detection steps (run as an unprivileged user):
Clone a verified detection tool git clone https://github.com/rootsecdev/cve_2026_31431.git cd cve_2026_31431 Run the detector (no root required) python3 test_cve_2026_31431.py
- Exit code 0 – `AF_ALG` or the required algorithm is unavailable; the host is not vulnerable.
- Exit code 2 – The marker `PWND` was written into the sentinel file’s page cache → the host is vulnerable.
- Exit code 1 – A test error occurred (check kernel config or missing Python features).
To verify that a machine has been patched after applying an updated kernel, the same script can be used again. On patched kernels (≥6.18.22, ≥6.19.12 or ≥7.0) the test will cleanly exit with code 0.
3. Immediate Mitigation (No Reboot, No Downtime)
If you cannot reboot to a patched kernel immediately, disable the vulnerable `algif_aead` kernel module. This temporary workaround has no measurable impact on the vast majority of systems – typical servers, LUKS/dm‑crypt, IPsec, and SSH are unaffected.
One‑line mitigation (as root):
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf && rmmod algif_aead 2>/dev/null || true
Verify the module is gone:
lsmod | grep '^algif_aead' || echo "algif_aead is not loaded"
Test that the exploit path is blocked:
python3 -c "import socket; s=socket.socket(38, socket.SOCK_SEQPACKET, 0); s.bind(('aead','authencesn(hmac(sha256),cbc(aes))')); print('VULNERABLE MODULE STILL REACHABLE')"
If the `bind()` raises an OSError, the mitigation is effective.
For containerised or sandboxed environments, also block `AF_ALG` socket creation via seccomp policies as an additional hardening measure.
4. Permanent Fix: Apply the Kernel Patch
The upstream fix (commit a664bf3d603d) simply reverts the 2017 in‑place optimisation, returning to the safer out‑of‑place AEAD operation. Patch availability varies by distribution:
- Ubuntu / Debian – `apt update && apt upgrade linux-image-$(uname -r)`
– RHEL / CentOS / Alma / Rocky – `yum update kernel` (ordnf update kernel) - SUSE / openSUSE – `zypper patch` or `zypper update kernel-default`
– Amazon Linux 2023 – `yum update kernel`
– Arch Linux – `pacman -Syu linux`After updating, reboot into the new kernel. Some distributions may have already released backported security patches that carry the fix without a full kernel version jump – always check your vendor’s security bulletin for CVE-2026-31431.
5. Hardening Shared and Containerised Environments
Because the page cache is shared across containers running on the same host, Copy Fail can also be used as a container escape vector. A compromised pod can corrupt a setuid binary on the host node, granting root access across tenant boundaries.
For untrusted workloads, apply the following in addition to module blacklisting:
– Block `AF_ALG` sockets via seccomp in your container runtime (e.g., in Kubernetes pod security policies).
– Run setuid binaries from filesystems that are bind‑mounted with `noexec` where feasible.
– Consider initramfs‑based root filesystems that evict page cache on reboot – this limits the window of opportunity.
- Linking All Resources: The Official Disclosure and Public Repositories
All authoritative information and tools are collected at the official advisory site:
– Official copy.fail portal – https://copy.fail/
– Original disclosure by Theori / Xint Code – https://xint.io/blog/copy-fail-linux-distributions
– Primary PoC repository (Theori) – https://github.com/theori-io/copy-fail-CVE-2026-31431
– CVE‑2026‑31431 discussion on openwall – https://openwall.com/lists/oss-security/2026/04/29/23
– The GBHackers news article – https://gbhackers.com/linux-kernel-0-day-copy-fail-grants-root-access-major-distros/
What Undercode Say:
- Deterministic root on all major distros – No race conditions, no per‑distribution offsets, no compiled payload. A single 732‑byte Python script works unchanged on Ubuntu, RHEL, SUSE, Amazon Linux, and their derivatives. This is a straight‑line logic flaw, not a probabilistic race.
- Stealthy page‑cache attack – The corruption never reaches persistent storage; the kernel does not mark the page as dirty. On‑disk file integrity tools, checksums, and disk forensics all report the binary as pristine. The attack leaves no persistent signature and disappears on reboot.
- Container escape by design – The page cache is shared across the host and all its containers. A compromised pod can write into the host node’s copy of
/usr/bin/su, then escalate to root on the node, breaking tenant isolation in multi‑tenant Kubernetes clusters and shared CI/CD runners.
Prediction:
Copy Fail will be weaponised within 48 hours, leading to widespread scans for vulnerable shared Linux hosts and a spike in container breakout attacks. The involvement of an AI‑assisted discovery tool will accelerate similar automated audits of legacy kernel subsystems, likely triggering several more ancient logic‑flaw disclosures in the next six months.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Divya Kumari – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


