Listen to this Post
The vulnerability, dubbed “Copy Fail”, stems from the `algif_aead` component of the Linux kernel’s cryptographic subsystem mishandling memory operations when processing AEAD (Authenticated Encryption with Associated Data) requests from userspace [4†L10-L13]. Specifically, the issue existed because `algif_aead` performed AEAD operations “in-place,” assuming the source (src) and destination (dst) scatterlists were the same [7†L10-L11]. When an unprivileged attacker used the `splice()` system call to feed data from a regular file’s page cache into an `AF_ALG` socket, the `algif_aead` module would erroneously treat the file’s page-cache pages as a viable destination for writes [4†L15-L16][7†L11-L14]. The `authencesn` cryptographic template performed a 4-byte zero-offset “scratch” write of an AEAD header field, allowing the attacker to corrupt a specific 4-byte region of the file present in the page cache [7†L14-L17]. Crucially, the underlying storage on disk was never modified, only the ephemeral, runtime in-memory copy of the file was altered [7†L17-L18]. This could be exploited against world-readable, sensitive binaries like `/usr/bin/su` or `/etc/passwd` to flip the running user’s UID to 0, thereby granting the attacker a root shell and achieving local privilege escalation [4†L16-L17][7†L25-L27]. The vulnerability was introduced in 2017 by commit 72548b093ee3, which enabled the problematic in-place behavior, and was resolved by reverting to safe, out-of-place operations where the kernel writes to a fresh buffer instead of the original file-backed pages [6†L10-L13].
dailycve form:
Platform: Linux Kernel
Version: Since 2017
Vulnerability : Page Cache Write
Severity: HIGH
date: 2026-04-29
Prediction: 2026-04-30
Analytics under heading What Undercode Say:
The flaw’s impact is High due to local, low-privileged root escalation without requiring user interaction. Its widespread prevalence across major distributions and cloud images from the past nine years, combined with the availability of stable, proof-of-concept exploits in the wild, elevates its effective risk to Critical for production environments [1†L7-L9][7†L3-L6].
Bash commands and codes related to the blog
Detection command (non-destructive) python3 test_cve_2026_31431.py Interactive exploitation (flips UID of /etc/passwd in page cache) python3 exploit_cve_2026_31431.py --shell Instant mitigation (block algif_aead initcall via grubby) sudo grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init" sudo reboot Verify that the mitigation is active sudo grubby --info=ALL | grep initcall_blacklist Revert the mitigation after a patched kernel is installed sudo grubby --update-kernel=ALL --remove-args="initcall_blacklist=algif_aead_init" sudo reboot
Exploit:
The exploit leverages the `AF_ALG` socket and the `authencesn(hmac(sha256),cbc(aes))` algorithm. It sends 8 bytes of associated data via `sendmsg` to control a 4-byte `seqno_lo` field. It then uses `os.splice()` to feed bytes from a victim file’s page cache into the AEAD operation. The in-place AEAD write corrupts the page-cache copy of the file, typically to set the UID field of the calling user to 0 in /etc/passwd, allowing `su` to spawn a root shell [7†L11-L17][7†L34-L40].
Protection from this CVE
- Immediate Mitigation: Blacklist the `algif_aead` module at boot using the kernel command line:
initcall_blacklist=algif_aead_init. Apply with `grubby` as shown above. This requires a reboot [1†L20-L26]. - Apply Security Updates: Update the Linux kernel to a version that includes the revert commit. Major distributions have released patched kernels [2†L16-L17][4†L18-L20].
- Use eBPF: Deploy an eBPF-based daemon like `CVE-2026-31431-mitigation` to block AF_ALG socket creation for unprivileged users on systems where `algif_aead` is built-in and cannot be blacklisted [5†L2-L10].
- Seccomp Filtering: Block the `AF_ALG` address family for all non-trusted processes using seccomp-bpf to prevent them from accessing the vulnerable interface [0†L20-L21].
- Monitor for Exploitation: Watch for the creation of `AF_ALG` sockets and the loading of the `algif_aead` module by unprivileged processes, as these are indicators of potential exploitation.
Impact
A local, unauthenticated attacker with an unprivileged user account can gain complete control over the system. By corrupting the page cache of files like `/etc/passwd` or setuid binaries, they can achieve persistent local privilege escalation to root without any disk-write signature, making forensic detection reliant on runtime memory analysis. The compromise of a single user account leads to full system compromise, allowing the attacker to bypass security controls, steal data, and disrupt operations.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode
