CVE-2026-31431 — Copy Fail

Linux kernel local privilege escalation via AF_ALG + splice page-cache overwrite

For authorized security research, penetration testing, and educational purposes only. Do not use against systems you do not own or have explicit written permission to test.

Technical Writeup

---

Table of Contents

• Description
• Vulnerability Details
• Repository Structure
• Quick Start
• Detection
• Requirements
• Mitigation
• Test Environment (optional)
• References
• License

---

Description

CVE-2026-31431 is a local privilege escalation (LPE) vulnerability in the Linux kernel. An unprivileged local user can gain root access by combining the AF_ALG socket interface with splice() to perform an authenticated write directly into a page-cache page belonging to a setuid binary.

The exploit overwrites the su binary in the page cache without modifying the on-disk inode, bypassing integrity mechanisms that rely solely on file metadata or block-level checksums.

---

Vulnerability Details

Field	Value
CVE ID	CVE-2026-31431
Type	Local Privilege Escalation (LPE)
CVSS v3.1 Score	7.8 High — AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (source: kernel.org)
Kernel subsystems	crypto/af_alg.c, mm/splice.c
Attack vector	Local — unprivileged user account required
Root cause	algif_aead accepts sendfile() over an AEAD socket without enforcing copy-on-write semantics on the mapped page-cache page prior to splice() completing the transfer

Affected Environments

Distro	Kernel version	Arch
Ubuntu 24.04 LTS	6.17.0-1007-aws	x86_64
Amazon Linux 2023	6.18.8-9.213.amzn2023	x86_64
RHEL 10.1	6.12.0-124.45.1.el10_1	x86_64
SUSE 16	6.12.0-160000.9-default	x86_64
Raspberry Pi OS (Pi 5)	6.12.75+rpt-rpi-2712	aarch64

---

Repository Structure

.
├── exploit.py    # PoC — page-cache overwrite and privilege escalation
├── detect.bt     # BPFtrace script for real-time detection
├── run-vm.sh     # QEMU test environment automation (optional)
├── PAYLOAD.md    # Payload encoding analysis (hex → zlib → ELF → shellcode)
└── LICENSE

---

Quick Start

Run exploit.py as an unprivileged local user on any vulnerable system — no sudo needed:

python3 exploit.py

The script performs the following steps:

1. Verifies kernel support for AF_ALG (algif_aead) and locates the su binary.
2. Selects and decompresses the architecture-appropriate payload.
3. Opens the su binary as a raw file descriptor and overwrites its page-cache pages via AF_ALG + sendfile.
4. Tests privilege escalation. If successful, drops into a root shell.

Supported architectures:

Architecture	Variants
x86_64	—
aarch64	—
riscv64	—
ppc64le	—
arm	armv5l, armv6l, armv7l
x86 32-bit	i386, i486, i586, i686
MIPS 64-bit	mips64, mips64el
LoongArch	loong64, loongarch64
s390x	—

---

Detection

Monitor for exploitation attempts in real time with detect.bt. Requires root:

sudo bpftrace detect.bt
# or
doas bpftrace detect.bt

The script tracks three indicators per PID using a bitmask in @suspect[pid]:

Bit	Syscall	Indicator
0x1	socket(AF_ALG, SOCK_SEQPACKET)	AF_ALG socket created
0x2	setsockopt(SOL_ALG, ...)	Crypto operation configured
0x4	sendmsg(MSG_MORE) + splice()	Page-cache overwrite attempted

An alert fires when all three bits are set (@suspect[pid] == 0x7) on the same PID.

---

Requirements

exploit.py

• Python 3.6+
• Linux kernel with AF_ALG/algif_aead module loaded
• Local unprivileged user account (root is not required)

detect.bt

• bpftrace ≥ 0.12
• Root privileges (required for BPF tracing)

# Ubuntu/Debian
sudo apt install bpftrace

# RHEL/CentOS/Fedora
sudo dnf install bpftrace

# Amazon Linux
sudo yum install bpftrace

# SUSE
sudo zypper install bpftrace

# Alpine
sudo apk add bpftrace

---

Mitigation

1. Patch (preferred)

Update your distribution's kernel package to one that includes mainline commit a664bf3d603d, which reverts the 2017 algif_aead in-place optimization so that page-cache pages can no longer end up in the writable destination scatterlist. Most major distributions are shipping the fix now.

2. Disable algif_aead (while waiting for a patch)

blacklist can be bypassed with an explicit modprobe algif_aead. The install .../bin/false directive overrides the install command entirely, making every load attempt fail:

echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif.conf
sudo rmmod algif_aead 2>/dev/null || true

What this breaks — almost nothing

Affected?	Subsystem/Use case
No	dm-crypt/LUKS, kTLS, IPsec/XFRM, in-kernel TLS
No	OpenSSL, GnuTLS, NSS default builds
No	SSH, kernel keyring crypto
Maybe	OpenSSL with the afalg engine explicitly enabled
Maybe	Embedded crypto offload paths or apps that bind aead/skcipher/hash sockets directly

The subsystems in the "No" row use the in-kernel crypto API directly — they never go through AF_ALG. Performance falls back to normal userspace crypto libraries, which is what almost everything else already uses.

To check whether anything on your system actively uses AF_ALG before disabling it:

lsof | grep AF_ALG
ss -xa | grep alg

3. Block via seccomp (containers, sandboxes, CI)

Deny socket(AF_ALG, ...) creation for untrusted workloads regardless of patch state. Add AF_ALG (family 38) to your seccomp deny-list, or use an AppArmor/SELinux policy that restricts socket calls for unprivileged processes.

4. Monitor with detect.bt

Deploy the included detection script on any host that cannot be patched or locked down immediately. It will alert on any process that executes the full three-step exploit primitive.

---

Test Environment (optional)

run-vm.sh automates the creation of an Ubuntu 24.04 QEMU VM for testing in a controlled environment. exploit.py and detect.bt run directly on any vulnerable host — QEMU is not required.

Host Requirements

Dependency	Notes
qemu-system-x86_64 + KVM	See install commands below
wget or curl	Cloud image download
cloud-image-utils	Seed image generation (Docker can substitute on non-Debian hosts)

Install QEMU

# Ubuntu/Debian
sudo apt install qemu-system-x86 cloud-image-utils wget

# Fedora/RHEL
sudo dnf install qemu-system-x86 wget

# Arch
sudo pacman -Sy qemu

# Alpine
sudo apk add qemu-system-x86 qemu-ui-gtk wget

Run

sh run-vm.sh

Interactive Menu

1. Start/Create VM
2. Connect via SSH
3. Upload files to VM  (exploit.py, detect.bt)
4. Run exploit inside VM
5. Run detect.bt inside VM
6. Check VM status
7. Stop VM
8. Clean up VM files
0. Exit

VM Credentials

Field	Value
User	ubuntu
Password	cve123
SSH port	2222

---

References

• Technical Writeup — xint.io
• Payload Encoding Analysis — hex → zlib → ELF → shellcode breakdown
• crypto/af_alg.c — kernel source
• mm/splice.c — kernel source

---

License

This project is licensed under the GNU General Public License v3.0 or later. See LICENSE for the full text.

Disclaimer: This repository is provided for authorized security research, penetration testing, and educational purposes only. The authors accept no liability for any misuse or damage caused by this software.