Copy Fail What You Need to Know About the Most Severe Linux ...#2207
Open
carlospolop wants to merge 1 commit intomasterfrom
Open
Copy Fail What You Need to Know About the Most Severe Linux ...#2207carlospolop wants to merge 1 commit intomasterfrom
carlospolop wants to merge 1 commit intomasterfrom
Conversation
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://unit42.paloaltonetworks.com/cve-2026-31431-copy-fail/ Content Categories: Based on the analysis, this content was categorized under "Linux Hardening -> Linux Privilege Escalation". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
Copy Fail is a deterministic Linux kernel local privilege escalation vulnerability tracked as CVE-2026-31431. It was publicly disclosed on April 29, 2026, and the Unit 42 post was published on May 5, 2026. The bug affects Linux kernels 4.14 through 6.19.12 and impacts virtually all major Linux distributions released since 2017. The article emphasizes that this is unusually dangerous because e...
🔧 Technical Details
A Linux kernel privilege-escalation technique can arise when a user-space crypto interface such as
AF_ALGaccepts file-backed pages throughsplice()and a vulnerable AEAD implementation performs unsafe in-place processing. Ifreq->srcandreq->dstshare a combined scatterlist, writable destination buffers may unintentionally include page-cache pages. If the algorithm then uses the destination buffer as scratch space and writes past the intended output boundary, an attacker can convert that bug into a controlled overwrite of file page cache memory.A practical exploitation pattern is to control both the overwrite value and offset. In this case, the 4-byte value is controlled through protocol data carried in AAD bytes
4-7asseqno_lo, while the target offset is selected by manipulatingspliceoffset,splicelength andassoclen...🤖 Agent ActionsI’m organizing the update task first, then I’ll inspect the HackTricks structure and existing Linux privesc/kernel content before deciding whether anything new should be added.
I’m mapping the repository first so I can place any new content in the right existing page instead of creating a redundant one. After that I’ll read the relevant Linux/kernel pages and check whether the page-cache overwrite technique is already covered.
I’ve narrowed the likely placement to existing Linux kernel exploitation content. Next I’m reading the relevant index pages plus comparable kernel exploit writeups to see whether this exact technique is already present and which file best matches HackTricks’ style.
The current read shows no existing
AF_ALG/ page-cache overwrite coverage, and the kernel exploit pages live underbinary-exploitation/linux-kernel-exploitation. I’m now checking navigation and related pages so I can update a single file without breaking the book structure.I have the placement decision. Now I’m checking a few more adjacent files to match formatting and to confirm there isn’t already a page covering page-cache overwrite against setuid binaries.
External search confirms the technique is treated publicly as a generic AF_ALG +
splice()page-cache overwrite primitive, not just a one-off CVE note. I’m pulling the original technical writeup and patch summary now so the final page can stay precise and concise.I’ve finished the research pass. Next I’m adding one new kernel-exploitation page, then wiring it into the existing navigation with a single related reference from the Linux privesc index.
The new page is in place. I’m verifying the final markdown, the internal reference path, and the summary entry before I decide whether a full book build is needed.
The content reads clean and the paths resolve correctly on inspection. I’m running one build-level validation now to catch any summary/include issues before closing this out.
Added a new kernel-exploitation page at af-alg-aead-page-cache-overwrite.md that abstracts the blog into the reusable technique:
AF_ALG+splice()+ in-place AEAD scratch writes turning into a 4-byte page-cache overwrite against readable privileged binaries. I classified it under binary exploitation rather than Linux privesc because it is fundamentally a kernel exploitation primitive, then linked it from README.md and SUMMARY.md.Validation:
git diff --checkpassed cleanly. I could not run a fullmdbook buildbecausemdbookis not installed in this environment.This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.