CopyFail Go (CVE-2026-31431)

Skill by ara.so — Daily 2026 Skills collection.

CopyFail Go is a static Go binary implementation of CVE-2026-31431, a straight-line logic flaw in the Linux kernel's AF_ALG AEAD scatterlist handling. Unlike race-condition LPEs, it requires no timing window or kernel-specific offsets — the same binary roots every affected Linux distribution shipped since 2017.

Affected kernel range:

• Floor: torvalds/linux 72548b093ee3 — August 2017, v4.14 (AF_ALG iov_iter rework)
• Ceiling: torvalds/linux a664bf3d603d — April 2026 (fix: separates source/destination scatterlists)

Confirmed vulnerable at disclosure: Ubuntu, RHEL, SUSE, Amazon Linux, Debian stock cloud images.

How It Works

The exploit abuses the AF_ALG AEAD in-place optimization introduced in 2017, which allowed page-cache pages to be used as a writable crypto destination via splice. This enables writing arbitrary content to read-only file-backed pages — including setuid binaries like /usr/bin/su.

CopyFail-Go patches /usr/bin/su in-place via the kernel primitive, spawns a root shell, then restores the original binary.