Shell scripts to detect Linux kernel vulnerabilities, check mitigation status, and guide remediation — designed to run locally or across fleets via SSH, Ansible, or pssh.
Copy Fail is a high-severity local privilege escalation (LPE) vulnerability in the Linux kernel's algif_aead cryptographic module. A logic flaw introduced in 2017 allows any unprivileged local user to write 4 controlled bytes into the page cache of any readable file — enough to overwrite a setuid binary and obtain root. A working 732-byte Python proof-of-concept exists and is publicly available.
| CVE | CVE-2026-31431 |
| CVSS | 7.8 (High) |
| Disclosed | April 29, 2026 |
| Affected | Linux kernels 4.13 – 6.x (2017–2026) |
| Distributions | Ubuntu, RHEL, SUSE, Debian, Amazon Linux, and most others |
| Remotely exploitable | No — local access required |
| Patch available | Partial — check your distro's advisories |
| Check | Needs root? |
|---|---|
| Kernel version — whether you're in the affected range (≥ 4.13) | No |
algif_aead module — loaded, present on disk, or blacklisted |
No |
Boot parameters — initcall_blacklist=algif_aead_init presence |
No |
| AF_ALG socket reachability — whether the exploit path is open | No |
| SELinux status | No |
| AppArmor status | Yes — partial output only without root |
| Distro patch status — CVE listed in kernel changelog | No |
Root is not required to run the script — all checks except AppArmor status work as a regular user. Running with
sudois recommended for complete results, and is the safer choice when piping fromcurl.
The script is designed to work across all major Linux distributions:
| Distribution family | Package manager check | Module path |
|---|---|---|
| Debian, Ubuntu | dpkg + kernel changelog |
/lib/modules/ |
| RHEL, CentOS, Amazon Linux | rpm (kernel, kernel-rt) |
/lib/modules/ |
| SUSE, openSUSE | rpm (kernel-default) |
/lib/modules/ |
| Arch Linux | pacman + advisory link |
/usr/lib/modules/ |
| Fedora | rpm + /usr/lib/modules/ fallback |
/usr/lib/modules/ |
Requires
bash— the script uses bash-specific syntax and will not run undersh,ash, ordash. On Alpine Linux (which uses busybox ash by default), install bash first:apk add bash
Without root — most checks work:
curl -fsSL https://raw.githubusercontent.com/codesource/copyfail-check/main/check_copyfail.sh | bashWith root — full results including AppArmor status:
curl -fsSL https://raw.githubusercontent.com/codesource/copyfail-check/main/check_copyfail.sh | sudo bashTip: Pin to a specific commit SHA in production so the script cannot change under you:
curl -fsSL https://raw.githubusercontent.com/codesource/copyfail-check/COMMIT_SHA/check_copyfail.sh | sudo bash
curl -fsSL https://raw.githubusercontent.com/codesource/copyfail-check/main/check_copyfail.sh -o check_copyfail.sh
less check_copyfail.sh
bash check_copyfail.sh # without root
sudo bash check_copyfail.sh # full resultsSSH loop
for HOST in server1 server2 server3; do
echo "=== $HOST ==="
ssh "$HOST" "curl -fsSL https://raw.githubusercontent.com/codesource/copyfail-check/main/check_copyfail.sh | sudo bash"
doneAnsible
- name: Check Copy Fail vulnerability
hosts: all
tasks:
- name: Run check script
script: check_copyfail.sh
become: yesParallel SSH
pssh -h hosts.txt -i \
"curl -fsSL https://raw.githubusercontent.com/codesource/copyfail-check/main/check_copyfail.sh | sudo bash"============================================================
Copy Fail CVE-2026-31431 – Vulnerability Check
============================================================
>>> Kernel Version
[INFO] Running kernel: 5.15.0-107-generic
[WARN] Kernel 5.15.0-107-generic is in the affected range (4.13 – 6.x).
>>> algif_aead Module Status
[WARN] algif_aead module is currently LOADED — system is exploitable.
[WARN] Module file found at: /lib/modules/5.15.0-107-generic/kernel/crypto/algif_aead.ko
[WARN] algif_aead is NOT blacklisted — it can be loaded on demand.
>>> Kernel Boot Parameter Mitigation
[WARN] initcall_blacklist=algif_aead_init is NOT set in boot parameters.
>>> AF_ALG Socket Reachability
[WARN] AF_ALG sockets are reachable by this user — exploit path is open.
>>> Mandatory Access Control (SELinux / AppArmor)
[WARN] Neither SELinux nor AppArmor tools detected — no MAC layer present.
>>> Distribution Patch Status
[WARN] Could not confirm CVE-2026-31431 is listed as fixed in running kernel's changelog.
============================================================
SUMMARY
============================================================
!! LIKELY VULNERABLE — No confirmed mitigation detected.
Recommended actions (in order of preference):
1. Apply your distro's kernel update as soon as available.
2. Add to /etc/modprobe.d/copyfail.conf:
blacklist algif_aead
install algif_aead /bin/true
Then run: sudo depmod -a && sudo update-initramfs -u
3. Add to kernel boot parameters (grub):
initcall_blacklist=algif_aead_init
4. Immediately unload the module if loaded:
sudo rmmod algif_aead
============================================================
Apply these in order of preference:
1. Patch your kernel (best fix)
# Debian / Ubuntu
sudo apt update && sudo apt upgrade linux-image-$(uname -r)
# RHEL / CentOS / Amazon Linux
sudo yum update kernel
# SUSE
sudo zypper update kernel-default2. Blacklist the module (immediate, persistent)
sudo tee /etc/modprobe.d/copyfail.conf << 'EOF'
blacklist algif_aead
install algif_aead /bin/true
EOF
sudo depmod -a
# Debian/Ubuntu
sudo update-initramfs -u
# RHEL/Fedora
sudo dracut -f3. Unload the module now (immediate, not persistent across reboots)
sudo rmmod algif_aead4. Kernel boot parameter (alternative to blacklist)
Add initcall_blacklist=algif_aead_init to your GRUB config and reboot.
- copy.fail — official vulnerability page
- Xint/Theori writeup
- NVD — CVE-2026-31431
- CERT-EU Advisory 2026-005
- Microsoft Security Blog
- The Hacker News
MIT — use freely, no warranty implied. Always review scripts before running them as root.