CVE-2026-31431 ("Copy Fail") Toolkit

Skill by ara.so — Daily 2026 Skills collection.

A Python toolkit for detecting and demonstrating CVE-2026-31431, a Linux kernel vulnerability where algif_aead with authencesn(hmac(sha256),cbc(aes)) performs an in-place AEAD operation via splice(), writing into page-cache pages of regular files — enabling an unprivileged user to corrupt the kernel's in-memory view of /etc/passwd or other world-readable files for local privilege escalation.

Authorization notice: Use only on systems you own or are explicitly engaged to assess. Running this on unauthorized systems is illegal in most jurisdictions.

Affected Systems

• Linux kernels carrying commit 72548b093ee3 (in-place AEAD, 2017) without the upstream revert
• Confirmed affected: Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 14.3, SUSE 16

Installation

No installation required. Pure Python 3.10+ stdlib — clone and run directly.

git clone https://github.com/rootsecdev/cve_2026_31431.git