This is a compact Python proof-of-concept for Copy Fail (CVE-2026-31431), a Linux kernel local privilege escalation via AF_ALG and splice() that corrupts the page cache of a readable file such as /usr/bin/su. It is based on the Theori PoC, extended with ctypes splice for Python 3.7+ compatibility and a /bin/bash root shell instead of /bin/sh.
Run it on a vulnerable Linux host with python3 copy_fail_exp.py. It requires only the Python standard library, read access to the target binary, and a kernel in the affected range (roughly 4.9 through 6.18).
Disclaimer: For authorized testing and education only. Do not use on systems without permission.
References: Theori writeup · CVE-2026-31431