Copy Fail Linux Kernel Local Privilege Escalation (CVE-2026-31431)
by Xint Code (Theori), Juno Im · 2026-05-17
- Severity
- High
- CVE
- CVE-2026-31431
- Category
- binary
- Affected product
- Linux kernel (crypto / AF_ALG AEAD path)
- Affected versions
- Confirmed on Ubuntu 24.04 (6.17.0-1007-aws), Amazon Linux 2023 (6.18.8-9.213.amzn2023), RHEL 10.1 (6.12.0-124.45.1.el10_1), SUSE 16 (6.12.0-160000.9-default)
- Disclosed
- 2026-05-17
- Patch status
- unpatched
References
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-05-17 |
| Last Updated | 2026-04-29 |
| Author / Researcher | Xint Code (Theori), Juno Im |
| CVE / Advisory | CVE-2026-31431 |
| Category | binary |
| Severity | High |
| CVSS Score | N/A |
| Status | Weaponized |
| Tags | LPE, Linux kernel, AF_ALG, authenc, splice, local, Python |
| Related | N/A |
Affected Target
| Field | Value |
|---|---|
| Software / System | Linux kernel (crypto / AF_ALG AEAD path) |
| Versions Affected | Confirmed on Ubuntu 24.04 (6.17.0-1007-aws), Amazon Linux 2023 (6.18.8-9.213.amzn2023), RHEL 10.1 (6.12.0-124.45.1.el10_1), SUSE 16 (6.12.0-160000.9-default) |
| Language / Platform | Python, Linux |
| Authentication Required | Yes (local unprivileged shell) |
| Network Access Required | Local only |
Summary
Copy Fail (CVE-2026-31431) is a Linux kernel local privilege-escalation vulnerability published by Theori (Xint Code). The provided PoC abuses AF_ALG AEAD socket operations with crafted parameters and splice() writes to patch privileged executable bytes and obtain root execution. Public exploit code is available and demonstrates practical exploitation against multiple major Linux distributions.
Vulnerability Details
Root Cause
The exploit indicates an unsafe kernel handling path in AEAD/authenc processing exposed through AF_ALG sockets. Crafted socket options and message metadata allow attacker-controlled writes during crypto processing, enabling corruption of privileged executable data from an unprivileged context.
Attack Vector
An attacker with local shell access runs the Python PoC. The script opens /usr/bin/su, creates an AF_ALG socket configured for authenc(hmac(sha256),cbc(aes)), repeatedly issues crafted sendmsg + splice operations, and then executes su to obtain elevated privileges.
Impact
Successful exploitation yields local privilege escalation to root on affected kernels. This allows full host compromise, including arbitrary command execution, persistence, and security control bypass.
Environment / Lab Setup
OS: Ubuntu 24.04 LTS / Amazon Linux 2023 / RHEL 10.1 / SUSE 16
Target: Linux kernel versions listed in Tested Distro / Version
Attacker: Local unprivileged user on target host
Tools: python3
Setup Steps
| |
Proof of Concept
Step-by-Step Reproduction
Prepare local lab host — Use a test kernel/distribution listed by upstream research.
1uname -aRun exploit code as local user
1python3 copy_fail_exp.pyConfirm privilege escalation
1 2id whoami
Exploit Code
See
copy_fail_exp.pyin this folder.
| |
Expected Output
uid=0(root) gid=0(root) groups=0(root)
root
Screenshots / Evidence
- No screenshots bundled in upstream repo.
Detection & Indicators of Compromise
SIEM / IDS Rule (example):
alert audit any any -> any any (msg:"Possible Copy Fail local exploit behavior"; content:"AF_ALG"; content:"splice"; sid:900031431;)
Remediation
| Action | Detail |
|---|---|
| Patch | Apply vendor-provided kernel fixes for CVE-2026-31431 as distribution updates become available |
| Workaround | Restrict untrusted local shell access and harden execution controls (AppArmor/SELinux/seccomp where applicable) |
| Config Hardening | Monitor and limit abuse of AF_ALG and unusual local Python execution in production environments |
References
Notes
Auto-ingested from https://github.com/theori-io/copy-fail-CVE-2026-31431 on 2026-05-17.
| |