Skip to content

v0.3.1

Latest
Latest

Choose a tag to compare

View all tags
@github-actions github-actions released this 22 May 11:52
v0.3.1
This tag was signed with the committer’s verified signature.
tgies Tony Gies
GPG key ID: 401C38FB275BB5F3
Verified
Learn about vigilant mode.
ff5bea3
This commit was signed with the committer’s verified signature.
tgies Tony Gies
GPG key ID: 401C38FB275BB5F3
Verified
Learn about vigilant mode.

Cross-platform C port of CVE-2026-31431 (Copy Fail).

Discovery and disclosure: Theori / Xint, https://copy.fail/

Downloads

Each archive is named copy-fail-c-<arch>-<libc>.tar.gz and
contains three statically-linked binaries plus README and LICENSE:

  • exploit: binary-mutation variant. Mutates a setuid binary's
    page cache, then execs it.
  • exploit-passwd: /etc/passwd UID-flip variant. Mutates four
    bytes of /etc/passwd's page cache, then execs su. Works where
    the binary-mutation route is blocked but has a narrower cashout
    surface; see README for details.
  • vulnerable: non-destructive vulnerability checker. Creates a
    local testfile and runs the AF_ALG/splice primitive against
    its own page cache to detect kernel susceptibility, without
    touching any system file. Runs unprivileged. Exits 100 if
    vulnerable, 0 otherwise.

Build modes

  • -glibc: GNU cross-toolchain, glibc-static. Larger (~800 KB)
    but functionally identical to source-built binaries on a
    glibc system.
  • -musl: zig cc + musl-static. Smaller (~30-60 KB) and
    forward-compatible with any glibc version on the target.

Architectures: x86_64, aarch64, armv7, riscv64, ppc64le, s390x.

Verification

SHA256SUMS lists the SHA-256 of every tarball:

sha256sum -c SHA256SUMS

See the README
for the kernel-version window of applicability and a description
of the exploit mechanism.

Assets 15
Loading