GitFeed
Back to feed

badsectorlabs/copyfail-go

badsectorlabs/copyfail-go
318
+70/wk
63
Assembly

A Go implementation of copyfail (CVE-2026-31431)

From the README

CopyFail Go

Most Linux LPEs need a race window or a kernel-specific offset. Copy Fail is a straight-line logic flaw — it needs neither. The same ~~732-byte Python script~~ static Go binary roots every Linux distribution shipped since 2017.

A Go implementation of CVE-2026-31431. In case you need a static binary and no Python dependency.

See copy.fail for more info.

Interactive shell

# Get the binary to your Linux host with code execution (exercise for the reader)
user@host$ chmod +x copyfail-go
user@host$ ./copyfail-go --backup /tmp/su
root@host# cat /tmp/su > /usr/bin/su    # Restore the original su binary
root@host# touch -r /tmp/su /usr/bin/su # Restore the modified time of the original su
root@host# rm /tmp/su
root@host# # Do things as root =)

Run binary as root

Useful to elevate a program to root

# Get the binary to your Linux host with code execution (exercise for the reader)
user@host$ chmod +x copyfail-go
user@host$ ./copyfail-go --backup /tmp/su --exec ./your-binary
user@host$ # Use whatever you ran to restore su from /tmp/su

Don't trust those hex blobs?

Compile the payloads yourself with payloads/build-n-print.sh on a Debian host (Debian 13 tested).

You'll need to apt install nasm python3 binutils-aarch64-linux-gnu binutils-arm-linux-gnueabihf then run the script from in the payloads directory. It will compile each payload and output the zlib compressed hex strings. Compare those to what is in main.go (or replace them with your own) and build the copyfile-go binaries with goreleaser build --snapshot --clean from the main project directory.

Affected kernels (from copy-fail-c)

floor:    torvalds/linux 72548b093ee3   August 2017, v4.14
                                        (AF_ALG iov_iter rework that
                                         introduced the file-page write
                                         primitive via splice into the AEAD
                                         scatterlist)

ceiling:  torvalds/linux a664bf3d603d   April 2026, mainline
                                        (reverts the 2017 algif_aead
                                         in-place optimization; separates
                                         source and destination scatterlists
                                         so page-cache pages can no longer
                                         be a writable crypto destination)

In between: every major distro kernel that didn't backport the fix. Ubuntu, RHEL, SUSE, Amazon Linux, and Debian were all confirmed vulnerable in their stock cloud-image kernels at disclosure time. Distro-level backports started rolling out around 2026-04-29 alongside the public disclosure. To verify whether a target kernel is in-window, check whether a664bf3d603d (or its distro-specific backport) is present in the kernel's git log or the distro's changelog.

View on GitHub