Copy Fail

Original Article ↗ Hacker News Discussion ↗

Exploit & PoC behavior

  • CVE-2026-31431 (“Copy Fail”) abuses AF_ALG’s algif_aead path to get arbitrary 4‑byte writes into the page cache of any file readable by the attacker.
  • The public PoC overwrites a chunk of /usr/bin/su in memory with a tiny ELF that does setuid(0); execve("/bin/sh"); exit(0), yielding root whenever su runs.
  • The write only affects cached pages, not on-disk data; it disappears on reboot or cache flush, but is enough for reliable local privilege escalation.

Impact and affected systems

  • Works widely on unpatched Linux kernels; multiple users report instant root on Ubuntu 24.04 and other common distros.
  • The bug dates back to a 2017 kernel commit; fixed in mainline 7.0 and stable 6.18.22+ and 6.19.12+ (with additional backports pending).
  • Distros may have backported the fix without bumping to those exact versions; others (Debian stable, older Ubuntu LTS, RHEL 8/9/10) were initially still vulnerable or slow to treat it as high severity.
  • Systems where su/sudo are not world‑readable or where SUID binaries are uncommon blunt the provided PoC but not the underlying primitive (any readable root‑run binary or config can be targeted, e.g. /etc/passwd, shared libs).

Mitigations and workarounds

  • Primary mitigation: upgrade to a kernel including mainline commit a664bf3d603d (or its stable backports).
  • Before patching, common advice:
    • Disable algif_aead / AF_ALG: modprobe blacklists + install ... /bin/false, or kernel boot arg initcall_blacklist=algif_aead_init.
    • Use seccomp / systemd RestrictAddressFamilies= to block AF_ALG for services and users.
    • Compile kernels with CONFIG_CRYPTO_USER_API_* disabled if you control your build.
  • SELinux and some distro policies already restrict AF_ALG for unprivileged domains, which can mitigate exploitation in practice.

Containers, Android, and other environments

  • The PoC as-is doesn’t escape rootless containers or user namespaces, but the primitive (page‑cache writes) is generally assumed sufficient to craft container→host escapes by corrupting host root‑run binaries.
  • Kubernetes mitigations like allowPrivilegeEscalation: false (akin to no_new_privs) help reduce impact but don’t replace kernel patching.
  • Android generally appears non‑exploitable in practice: AF_ALG is disabled or blocked by SELinux, and there’s no accessible su; tests on real devices hit AF_ALG permission errors.

AF_ALG and kernel design debate

  • Strong criticism of AF_ALG: large attack surface for unprivileged users, limited real‑world use, and repeated historical vulnerabilities.
  • Several kernel developers and admins advocate disabling CONFIG_CRYPTO_USER_API_* where possible and moving crypto for userland into libraries or dedicated user‑space daemons.

Presentation, naming, and PoC quality

  • Many commenters see the landing page as heavy on AI‑generated “vibecoded” marketing and light on technical density; others defend memorable naming and a dedicated site as useful for awareness.
  • The 732‑byte, golfed Python PoC is viewed as clever but hard to audit; multiple community C/Go/“de‑minified” Python rewrites were produced to make the exploit easier to understand and trust.