redsi716×650 11.5 KB

CVE-2026-31431

russian hackers started the implementation and make use of this recent copy fail vulnerability, update your kernel ! and protect yourself

Q : Am I affected , what should I do

first check/verify the cve on your system by

git clone --depth 1 https://github.com/tgies/c
cd copy-fail-c
make $(nproc)
./exploit

if you got root access you are affected
And you should immediately update your linux kernel
all version got patched,
don’t ignore because attacker might implement this vulnerability in tiny blob inside proprietary software

the github link is wrong, it should be https://github.com/tgies/copy-fail-c

make needs -j flag, make -j $(nproc)

user@sam:~/copy-fail-c$ ./exploit
[+] target:    /usr/bin/su
[+] payload:   1704 bytes (426 iterations)
bind(AF_ALG: authencesn(hmac(sha256),cbc(aes))): No such file or directory
patch_chunk failed at offset 0

Thank you for that PSA, Halano!

I’ve modified your instruction sequence into something people might be more willing to run. Hope you don’t mind.

Session Log:

$ ./CVE-2026-31431__probe.sh

Cloning into 'copy-fail-c'...
remote: Enumerating objects: 87, done.
remote: Counting objects: 100% (87/87), done.
remote: Compressing objects: 100% (77/77), done.
remote: Total 87 (delta 7), reused 75 (delta 7), pack-reused 0 (from 0)
Receiving objects: 100% (87/87), 102.63 KiB | 2.23 MiB/s, done.
Resolving deltas: 100% (7/7), done.
total 3036
-rwxrwxr-x 1 ericthered ericthered  911848 May  1 16:17 exploit
-rw-rw-r-- 1 ericthered ericthered    3553 May  1 16:17 exploit.c
-rwxrwxr-x 1 ericthered ericthered 1128144 May  1 16:17 exploit-passwd
-rw-rw-r-- 1 ericthered ericthered    4783 May  1 16:17 exploit-passwd.c
-rw-rw-r-- 1 ericthered ericthered     297 May  1 16:17 LICENSE-LGPL
-rw-rw-r-- 1 ericthered ericthered    1066 May  1 16:17 LICENSE-MIT
-rw-rw-r-- 1 ericthered ericthered    6433 May  1 16:17 Makefile
drwxrwxr-x 3 ericthered ericthered    4096 May  1 16:17 nolibc
-rwxrwxr-x 1 ericthered ericthered    1544 May  1 16:17 payload
-rw-rw-r-- 1 ericthered ericthered    1616 May  1 16:17 payload.c
-rw-rw-r-- 1 ericthered ericthered    2152 May  1 16:17 payload.o
-rw-rw-r-- 1 ericthered ericthered   15783 May  1 16:17 README.ja.md
-rw-rw-r-- 1 ericthered ericthered   14085 May  1 16:17 README.ko.md
-rw-rw-r-- 1 ericthered ericthered   11103 May  1 16:17 README.md
-rw-rw-r-- 1 ericthered ericthered   21644 May  1 16:17 README.ru.md
-rw-rw-r-- 1 ericthered ericthered   11055 May  1 16:17 README.zh-cn.md
-rw-rw-r-- 1 ericthered ericthered    4871 May  1 16:17 utils.c
-rw-rw-r-- 1 ericthered ericthered     758 May  1 16:17 utils.h
-rw-rw-r-- 1 ericthered ericthered    4704 May  1 16:17 utils.o
-rwxrwxr-x 1 ericthered ericthered  910408 May  1 16:17 vulnerable
-rw-rw-r-- 1 ericthered ericthered    3454 May  1 16:17 vulnerable.c

	 Number of processing units:  4 ...

	 Opportunity to review contents of directory 'copy-fail-c' ... 

	 When ready, hit return to run 'make -j 4' ... 

	 make: Nothing to be done for 'all'.
	 RC = 0

	 Test executable created:

	 ./exploit:
		ELF 64-bit LSB executable,
		x86-64,
		version 1 (GNU/Linux),
		statically linked,
		BuildID[sha1]=cc7c6780fdc4ad2278744b0d33437791cff3814b,
		for GNU/Linux 3.2.0,
		not stripped

 Attempt as basic user ...
[+] target:    /usr/bin/su
[+] payload:   1544 bytes (386 iterations)
[+] page cache mutated; exec'ing target
# 

EDIT:

So, for me, it could not perform the specified test.

So, prior to performing any system updates, with the “#” prompt showing, my system is confirmed to be exposed!

Script: CVE-2026-31431__probe.sh

#!/bin/sh

###
###	Version 2
###	- incorporated mod identified by Pavlos 
###	- some logic changes for cleaner execution and reporting
###

tabs -8
#set -x
getUser()
{
	for users in $( cd /home ; ls | grep -xE '[[:alpha:]]+' )
	do
		grep '^'${users} /etc/passwd
	done |
	cut -f1-3 -d\: |   sort -n -t ":" -k3.1,4.0 |   head -1 |   cut -f1 -d\:
}

bypass=0
if [ "$( whoami )" = "root" ]
then
	user=$( getUser )

	test -z "${user}" && { echo "\n Unable to identify basic user ID [null] for testing of CVE.\n" ; exit 1 ; }
	test "${user}" = "root" && { echo "\n Unable to identify basic user ID [root] for testing of CVE.\n" ; exit 1 ; }

	echo "\n\t Identified test user ID:  ${user} ...\n\n\t Continue ? [y|N] => \c" ; read ans

	test -z "${ans}" && ans="N"

	case "${ans}" in
		y* | Y* ) echo "" ;;
		* ) echo "\n\t Probe for CVE test ... ABANDONED!\n" ; exit 2 ;;
	esac
else
	bypass=1
fi


if [ -d copy-fail-c ]
then
	echo "\n\t Using previously downloaded files for CVE testing ...\n"
else
	git clone --depth 1 https://github.com/tgies/copy-fail-c
	test $? -eq 0 || { echo "\n\t FAILED:  unable to download files required for test from GitHub!  ABANDONED!\n" ; exit 1 ; }
fi

cd copy-fail-c
ls -l

nProc=$(nproc)
echo "\n\t Number of processing units:  ${nProc} ..."

echo "\n\t Opportunity to review contents of directory 'copy-fail-c' ... \n\n\t When ready, hit return to run 'make -j ${nProc}' ... \c" ; read k

make -j "${nProc}" | awk '{ if( NR == 1 ){ print "" } ; printf("\t %s\n", $0 ) ; }'
RC=$?
echo "\t RC = ${RC}"
test ${RC} -eq 0 || { echo "\n\t FAILED:  unable to successfully run 'make -j ${nProc}'. \n\n\t Test suite not designed to test current HOST configuration/installation ... \n\n\t UNABLE TO DETERMINE DEGREE OF EXPOSURE!\n" ; exit 1 ; }

if [ -s "./exploit" ]
then
	echo "\n\t Test executable created:\n"
	file ./exploit | awk '{
		pos=index( $0, ":" ) ;
		beg=substr( $0, 1, pos );
		rem=substr( $0, pos+2 ) ;
		gsub( ", ", ",\n\t\t", rem ) ;
		printf("\t %s\n\t\t%s\n", beg, rem ) ; }'
else
	echo "\n\t FAILED:  Did not create usable executable code './exploit' ... \n\n\t UNABLE TO DETERMINE DEGREE OF EXPOSURE!\n" ; exit 1 
fi

#echo "\n\t Contents of './exploit' :\n"
#awk '{ printf("\t| %s\n", $0 ) }' ./exploit
#
#echo "\n\t Opportunity to review contents of file './exploit' ... \n\n\t When ready, hit return to run './exploit' ... \c" ; read k

test ${bypass} -eq 0 && {
	echo "\n Attempt as root ..."
	su --login ${user} --command="./exploit" ;
} || { 
	echo "\n Attempt as user ..."
	./exploit ;
}
exit 0

@pavlos Thank you for correction ,I mistyped was in hurry.
@ericmarceau thx 4 the useful scripting ,

Eric, the make in your script needs a -j flag

make -j "${nProc}"

Update for my context …

It seems my installation failed, before performing any system updates. Will apply updates now and see how things go afterwards with re-test.

Stay tuned …

Update …

My system is showing that it is still exposed to the exploit, even after I have made all updates to my system.

Guess this will force me to advance my plans to migrate to 26.04 Ubuntu after all!

Hi, @ericmarceau

You wrote:

Well, not necessarily. There is the following discussion topic (announcement) in “Ubuntu Discourse” / “Ubuntu Community Hub”:

“Fixes available for CVE-2026-31431 (Copy Fail) Linux Kernel Local Privilege Escalation Vulnerability - Announcements - Ubuntu Community Hub”

… which explains there is a mitigation from an update of the “kmod” package that disables the affected Linux Kernel module (“algif_aead”):

"The Ubuntu Security Team has released mitigations which disable the affected Linux kernel module in the kmod package. Linux kernel packages which implement the proposed patch will be released.

Affected releases

The vulnerability fix will be distributed through the Linux kernel image packages. A mitigation which disables the affected module is distributed through the kmod package. The mitigation will not be necessary once the kernel is updated.

Release	Package Name	Fixed Version
Trusty (14.04)	linux	Only 4.15 kernel versions affected. 3.13 and 4.4 kernel kernel versions are not affected.
	kmod	15-0ubuntu7+esm1
Xenial (16.04)	linux	Only 4.15 kernel versions affected. 4.4 kernel kernel versions are not affected.
	kmod	22-1ubuntu5.2+esm1
Bionic (18.04)	linux	Affected
	kmod	24-1ubuntu3.5+esm1
Focal (20.04)	linux	Affected
	kmod	27-1ubuntu2.1+esm1
Jammy (22.04)	linux	Affected
	kmod	29-1ubuntu1.1
Noble (24.04)	linux	Affected
	kmod	31+20240202-2ubuntu7.2
Questing (25.10)	linux	Affected
	kmod	34.2-2ubuntu1.1
Resolute (26.04)	linux	Not affected
	kmod	No update needed

I’ve checked my Ubuntu MATE 24.04 LTS (“Noble Numbat”) system and I’ve found that I have already installed the “kmod” version “31+20240202-2ubuntu7.2” for Ubuntu (MATE) 24.04 which mitigates the vulnerability (for Ubuntu 22.04 that would be version “29-1ubuntu1.1” of “kmod”):

 $ dpkg -l kmod
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version                Architecture Description
+++-==============-======================-============-=======================================
ii  kmod           31+20240202-2ubuntu7.2 amd64        tools for managing Linux kernel modules

… and the same discussion topic post mentions the following:

" (…) Block the module by creating a /etc/modprobe.d/manual-disable-algif_aead.conf file. This is the same action that the kmod update performs. (…)"

I see that, in my Ubuntu MATE 24.04 system, that was already done (presumably automatically by the mentioned “kmod” update):

$ ls -l /etc/modprobe.d/disable-algif_aead.conf 
-rw-r--r-- 1 root root 264 abr 30 13:32 /etc/modprobe.d/disable-algif_aead.conf
 
$ cat /etc/modprobe.d/disable-algif_aead.conf 
# Disable algif_aead module due to CVE-2026-31431 (AKA copy.fail)
# This will likely be re-enabled in a subsequent update once an updated
# kernel has been deployed.
# Blacklisting the module isn't sufficient, we need to do as below:
install algif_aead /bin/false

And finally, the same article says:

" Check whether the module is still loaded:
grep -qE '^algif_aead ' /proc/modules && echo "Affected module is loaded" || echo "Affected module is NOT loaded"

In my case, I see that the affected module is NOT loaded (as expected given the content of /etc/modprobe.d/disable-algif_aead.conf):

$ grep -qE '^algif_aead ' /proc/modules && echo "Affected module is loaded" || echo "Affected module is NOT loaded"
Affected module is NOT loaded

I hope this helps

EDIT: If you see that you have a file called /etc/modprobe.d/disable-algif_aead.conf but that, when you run the test to check if the affected module is loaded, you still get the response that the “Affected module is loaded”, then do a reboot to apply the change (and test again after the reboot).

Thank you, Ricardo.

My current installation:

Linux OasisMega1 6.8.0-45-generic #45~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Sep 11 15:25:05 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Description:	Ubuntu 22.04.5 LTS (Jammy)

According to the notes at the URL provided, the affected item for my version is

• kmod       at       29-1ubuntu1.1

My installation has

• kmod       at       29-1ubuntu1

Can I then say that I am not impacted? Nonetheless, being pro-active, I did create the file (with the indicated contents)

• /etc/modprobe.d/disable-algif_aead.conf

and … I ran that grep command, which reported

• Affected module is NOT loaded

without need to reboot.

So, while that does somewhat give me reassurance, I question it all, since my basic non-root user with kmod 29-1ubuntu1, running the test, opened a shell with the root privileges, as show by the “#” prompt !!!

BUT … Tah Dah! … after the above changes were implemented, my new attempt by the basic User did NOT succeed at gaining root privileges:

 Attempt as user ...
[+] target:    /usr/bin/su
[+] payload:   1544 bytes (386 iterations)
bind(AF_ALG: authencesn(hmac(sha256),cbc(aes))): No such file or directory
patch_chunk failed at offset 0

So, I was at risk, but not anymore.

Thank you very much, Ricardo, for watching my back!

You can also use this read-only CVE-2026-31431 checker script:

There was kernel update for Ubuntu 24.04 LTS today.

# apt upgrade
...
The following NEW packages will be installed:
  linux-headers-6.8.0-111 linux-headers-6.8.0-111-generic
  linux-image-6.8.0-111-generic linux-modules-6.8.0-111-generic
  linux-modules-extra-6.8.0-111-generic linux-tools-6.8.0-111
  linux-tools-6.8.0-111-generic
...

According to @ricmarques post above the system is patched against Cve in question

# ls -l /etc/modprobe.d/disable-algif_aead.conf
-rw-r--r-- 1 root root 264 2026-04-30 15:32:11 /etc/modprobe.d/disable-algif_aead.conf

None of my systems without systemd with this old kernel conditions were affected.

It seems the inclusion of a Crypto Module Template, after 1-2 year ago of definitive systemd inclusion for some distributions.

Vulnerability conditions:
Affected systems: Linux distributions with kernels compiled between 2017 and the patch (commit a664bf3d603d).
Verified on Ubuntu 24.04 LTS (6.17.0), Amazon Linux 2023 (6.18.8), RHEL 10.1 (6.12.0), and SUSE 16.

Exploits a logical fault in authencesn, chained by AF_ALG and splice(): achieves a 4-byte write to the page-cache of a setuid binary, escalating to root.

Affected Distributions and Patch Status
Distribution Kernel Version Tested Patch Status
Ubuntu 20.04–24.04 Various No fix available
Amazon Linux 2023 6.18.8-9.213.amzn2023 No fix available
Red Hat Enterprise Linux 6.12.0-124.45.1.el10_1 Status unknown
SUSE Linux Enterprise 6.12.0-160000.9-default No fix available
AlmaLinux Various Patched (as of May 1, 2026)

Temporary Mitigation: If immediate patching is not possible, administrators should disable the algif_aead kernel module to mitigate the risk until a patched kernel is available. Take care about this for Ubuntu and other plattforms with EFI system breaks bootSequence

AfterModprobe_r592×1298 231 KB

. See image:

No fix, but mitigation yes. Regards

Wasn’t sure if you’d seen that or not.

I don’t use systemd, but for some friends affected is better upgrade kernel and problem is solved, passed test. Other that have production grade infrastructure, the key is make infrastructure secure before threats can be dangerous, due mitigations

The 6.8.0-111 and 6.17.0-23 kernels accomplish this for Ubuntu 24.04.

Hi, @Norm24

You wrote:

Actually, I believe that @sfrias is right. At least, regarding “Ubuntu 24.04 LTS (Noble Numbat)”, the version 31+20240202-2ubuntu7.2 of kmod mitigated the “Copy Fail” vulnerability (CVE-2026-31431) - by adding the /etc/modprobe.d/disable-algif_aead.conf file with the install algif_aead /bin/false instruction (which prevents the algif_aead kernel module from loading) - but I think the kernel 6.8.0-111 hasn’t fixed the kernel vulnerability yet (although that shouldn’t be critical, given the mentioned mitigation that was applied at the “kmod” level).

According to “UbuntuUpdates - Package “linux-source-6.8.0” (noble 24.04)” - https://www.ubuntuupdates.org/package/core/noble/main/updates/linux-source-6.8.0 - the changelog for “Version: 6.8.0-111.111” , “2026-04-30 18:09:07 UTC” is the following (as you can see, it fixes several vulnerabilities, but not “CVE-2026-31431”):

Changelog
Version: 6.8.0-111.111 2026-04-30 18:09:07 UTC
linux (6.8.0-111.111) noble; urgency=medium

• noble/linux: 6.8.0-111.111 -proposed tracker (LP: #2147890)

• CVE-2026-23231

  • netfilter: nf_tables: fix use-after-free in nf_tables_addchain()

• macvlan: observe an RCU grace period in macvlan_common_newlink() error
  path (LP: #2144380) // CVE-2026-23209

  • macvlan: observe an RCU grace period in macvlan_common_newlink() error
    path

• CVE-2026-23112

  • nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec

– Manuel Diewald Sat, 11 Apr 2026 22:54:06 +0200

Everybody would be pass tests always for infrastructure. The proof of concept for CVE is available. Regards

• AlmaLinux: AlmaLinux OS - Forever-Free Enterprise-Grade Operating System
• Alpine Linux: CVE-2026-31431 — Alpine Security Tracker
• CloudLinux: CVE-2026-31431 (Copy Fail): Kernel Update on CloudLinux
• Debian: CVE-2026-31431
• Red Hat Enterprise Linux: RHSB-2026-02 Cryptographic Subsystem Privilege Escalation- Linux Kernel - (CVE-2026-31431) | Red Hat Customer Portal
• Rocky Linux: Mitigating CVE-2026-31431 on Rocky Linux 8, 9, 10, and LTS Variants | CIQ Knowledge Base
• SUSE: CVE-2026-31431 Common Vulnerabilities and Exposures | SUSE
• Ubuntu: CVE-2026-31431 | Ubuntu

Here a Gentoo dev shares a workaround patch for older longterm kernels where the CopyFail fix doesn’t backport cleanly, and notes no embargo was broken since kernel CVEs skip distro heads-ups by default: