- check_copy_fail.py: A vulnerability checker/system hardener for the copy_fail exploit
- copy_fail_minimized.py: The exploit for CVE-2026-31431 as written copy_fail
- copy_fail_unminimized_with_comments.py: My attempt to understand the exploit
- mk_vulnerable.sh: a helper script to make a system vulnerable to the exploit for testing the checker script.
This small project was inspired by a video I watched on YouTube from a channel called You Suck at Programming. Which is fitting because I really do suck at programming. I Hacked My Own Linux Servers (Copy Fail Exploit)
The CVE-2026-31431 vulnerability, publicly known as Copy Fail, is a local privilege escalation flaw in the Linux kernel that exploits a logic error in the cryptographic subsystem to bypass security checks and escalate user privileges to root.
After watching the video I checked the exploit out on my own servers and discovered that some of them were indeed vulnerable. The nice thing about Linux is that there is more than one way to do something and while building a vulnerability checker for this exploit I got an unexpected result. I presumed my system was fixed because the exploit failed to work. But that wasn't the case. It turns out that my kernel was indeed vulnerable but the affected module had simply been disabled, thus hardening the system. A temporary solution for sure but simple to implement.
I believe that most distros have implemented this temporary workaround and a simple update and reboot is all that is needed. However, I am a trust but verify kind of person. So this little vulnerability checker will check for the workaround, failing that check for the vulnerability and harden the system if found. All the nerdy details are below.
See my disclaimer at the bottom. But you are free to download, use, distribute or modify as you see fit. Provided you don't break the law.
If you use the scripts, attribution is appreciated but not required.
Feel free to fork this repo and if you make improvements send me a pull request.
The code in check_copy_fail.py and mk_vulnerable.sh was generated by AI and tested by me on a virtual machine. If that fact bothers you then consider forking the project and rewrite the code yourself. But please do not send me rude comments or hate mail.
There is no charge for the use of these scripts but if you find them useful and are so inclined consider buying me a coffee.
The provided script is designed to audit a Linux system for the "Copy Fail" vulnerability (CVE-2026-31431) affecting the algif_aead kernel cryptographic interface. If the system is found to be vulnerable, the script automatically applies the necessary hardening to disable the interface and unloads the module from memory without requiring a reboot.
The script is divided into four primary functions, working together to inspect, test, and secure the system.
check_module_blocked()
This function performs a pre-flight check to see if the interface has already been disabled by the administrator.
Mechanism: It inspects the /etc/modprobe.d/ directory for any file containing the string algif_aead.
Behavior: If it finds a block rule (such as install algif_aead /bin/false), it notifies the user and terminates the check early, preventing unnecessary interactions with the kernel interface.
unload_module()
This function unloads the algif_aead kernel module from active memory.
Mechanism: It uses subprocess.run to execute the sudo rmmod algif_aead command.
Behavior: It removes the module immediately if it is loaded, ensuring that the hardening takes effect without a system reboot.
harden_system()
This function enforces the system's security posture by writing the configuration rule to the disk.
Mechanism: It uses sudo tee via a subprocess to write the block directive to /etc/modprobe.d/disable-algif_aead.conf.
Behavior: It includes comments identifying the fix for CVE-2026-31431. The script automatically prompts the user for their sudo password at this step.
check_kernel_patch_status()
This function acts as the main orchestrator for the vulnerability check.
Mechanism: It attempts to initialize a standard AF_ALG socket to interface with the kernel's cryptographic subsystem.
Behavior: * If the system is vulnerable, it proceeds to call harden_system() to write the configuration.
If the system is patched, the kernel will reject the invalid argument with an EINVAL error.
If the module is not loaded or the interface is missing, it reports the appropriate status.
The execution pathway of the script follows a strict, step-by-step evaluation process:
[Start] -> Check if module is already blocked
|
+--> (Yes) -> Exit
|
+--> (No) -> Open AF_ALG socket and send malformed arguments
|
+--> (Vulnerable/Accepted) -> Apply hardening & unload module
|
+--> (Patched/Rejected) -> Report as safe and exit
-
socket(38, 5, 0): Initializes an AF_ALG socket (38 corresponds to the address family for kernel cryptographic interfaces, and 5 represents SOCK_SEQPACKET).
-
a.setsockopt(SOL_ALG, 5, None, 4): Attempts to set an invalid AEAD authentication size (parameter 5) to probe the kernel's bounds checking.
-
errno.EINVAL: The error code returned by the kernel when validation is enforced on a patched system.
The following disclaimer applies to the detection and hardening script, and any related materials provided for CVE-2026-31431 (Copy Fail).
By downloading, using, or implementing this script and its associated files, you agree to the terms outlined below.
The script and all included files are provided "as is," without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. The entire risk of using this script and its modifications rests entirely with you.
In no event shall the authors, contributors, or copyright holders be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services, loss of use, data, or profits, or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of such damage.
This script interacts directly with the Linux kernel configuration and system files:
Root Privileges: The script requires elevated privileges (sudo) to modify the /etc/modprobe.d/ directory and run rmmod. Misuse of elevated privileges can render the system unstable or inaccessible.
Compatibility: The mitigation strategy may vary between different Linux kernels and distributions. It is strongly recommended to test these changes in a non-production staging environment prior to execution on production servers.
System Services: Unloading kernel modules or altering module loading rules while services depend on them may cause unexpected behavior.
The material provided is intended strictly for educational, diagnostic, and remediation verification purposes to help secure systems against the identified vulnerability.
Use of these scripts signifies that you understand these risks and accept full responsibility for any changes made to your system's configuration or performance.