Cybersecurity researchers have disclosed particulars of a Linux native privilege escalation (LPE) flaw that might enable an unprivileged native consumer to acquire root.
The high-severity vulnerability tracked as CVE-2026-31431 (CVSS rating: 7.8) has been codenamed Copy Fail by Xint.io and Theori.
“An unprivileged native consumer can write 4 managed bytes into the web page cache of any readable file on a Linux system, and use that to achieve root,” the vulnerability analysis workforce at Xint.io and Theori mentioned.
At its core, the vulnerability stems from a logic flaw within the Linux kernel’s cryptographic subsystem, particularly throughout the algif_aead module. The problem was launched in a supply code commit made in August 2017.
Profitable exploitation of the shortcoming might enable a easy 732-byte Python script to edit a setuid binary and procure root on basically all Linux distributions shipped since 2017, together with Amazon Linux, RHEL, SUSE, and Ubuntu. The Python exploit entails 4 steps –
- Open an AF_ALG socket and bind to authencesn(hmac(sha256),cbc(aes))
- Assemble the shellcode payload
- Set off the write operation to the kernel’s cached copy of “/usr/bin/su”
- Name execve(“/usr/bin/su”) to load the injected shellcode and run it as root
Whereas the vulnerability is just not remotely exploitable in isolation, a neighborhood unprivileged consumer can get root just by corrupting the web page cache of a setuid binary. The identical primitive additionally has cross-container impacts because the web page cache is shared throughout all processes on a system.
In response to the disclosure, Linux distributions have launched their very own advisories –
Copy Fail has its echoes in Soiled Pipe (CVE-2022-0847), one other Linux kernel LPE vulnerability that might allow unprivileged customers to splice knowledge into the web page cache of read-only information and in the end overwrite delicate information on the system to realize code execution.
“Copy Fail is identical class of primitive, in a distinct subsystem,” Bugcrowd’s David Brumley mentioned. “The 2017 in-place optimization in algif_aead permits a page-cache web page to finish up within the kernel’s writable vacation spot scatterlist for an AEAD operation submitted over an AF_ALG socket. An unprivileged course of can then drive splice() into that socket and full a small, focused write into the web page cache of a file it does not personal.”
What makes the vulnerability harmful is that it may be reliably triggered and doesn’t require any race situation or kernel offset. On high of that, the identical exploit works throughout distributions.
“This vulnerability is exclusive as a result of it has 4 properties that just about by no means seem collectively: it is transportable, tiny, stealthy, and cross-container,” a Xint.io spokesperson advised The Hacker Information in an announcement. “It permits any consumer account, regardless of how low-level, to extend their privilege to full admin entry. It additionally permits them to bypass sandboxing and works throughout all Linux variations and distributions.”
