A Linux Kernel Exploit PoC Written in Rust

CVE-2026-31431-Linux-Copy-Fail is a publicly disclosed proof-of-concept exploit targeting a Linux kernel vulnerability. The project, authored by researcher iss4cf0ng, provides a Rust-based implementation that demonstrates how the flaw can be weaponized to execute customized shellcode on affected systems. The write-up accompanying the repo walks through the vulnerability's root cause and the exploitation technique in detail, making it useful as both a research artifact and an educational resource for kernel security.

At its core, this PoC shows that a bug in the kernel's copy mechanisms can be leveraged to achieve arbitrary code execution. The exploit supports injecting payloads such as Meterpreter, giving security professionals a realistic demonstration of post-exploitation scenarios. For defenders and researchers tracking Linux kernel security, having a public PoC to study is invaluable—it clarifies the attack surface and helps validate whether specific kernel versions or configurations are at risk.

Core Features

  • Rust implementation — The entire exploit is written in Rust, offering memory safety during exploit development and reducing the chance of crashes caused by implementation bugs in the PoC itself.
  • Customizable shellcode execution — Users can supply their own shellcode payloads. The PoC is demonstrated with Meterpreter but is not limited to it.
  • Educational write-up — The linked blog post documents the vulnerability analysis and exploitation strategy, providing technical context that goes beyond the raw code.
  • Targeted at a specific CVE — The PoC is narrowly scoped to CVE-2026-31431, focusing on the Linux kernel's copy functions rather than being a generic kernel exploit framework.
  • Minimal dependencies — As a Rust project, it relies on the standard toolchain, keeping the build surface small and reproducible.

Getting It Running

Since the project is written in Rust, the setup assumes a working Rust toolchain on a Linux system. The general steps are:

# Clone the repository
git clone https://github.com/iss4cf0ng/CVE-2026-31431-Linux-Copy-Fail.git
cd CVE-2026-31431-Linux-Copy-Fail

# Build with Cargo
cargo build --release

# Refer to the README and linked write-up for target-specific usage
# The exploit requires a vulnerable Linux kernel version

Important: This PoC must be run against a system running a vulnerable version of the Linux kernel. Running it on a patched kernel or an unrelated configuration will fail. The blog post linked from the repository provides the specifics of which kernel versions and configurations are affected. Always use this kind of tool only in environments where you have explicit authorization.

Who This Is For

This project is squarely aimed at security researchers, penetration testers, and kernel developers who need to understand the real-world implications of CVE-2026-31431. It is not a general-purpose tool—it is a focused PoC designed to prove exploitability and serve as a reference implementation.

Red teams and offensive security practitioners can use it to validate whether their target environments are vulnerable. Defenders can study it to build better detection rules or verify that their patching strategy covers this attack vector. Academic researchers and students studying Linux kernel internals will find the accompanying write-up particularly useful, as it connects the theoretical vulnerability to working code.

If you are looking for a production-grade post-exploitation framework, this is not that. It is a narrowly scoped demonstration, and it makes no effort to hide its activity from modern endpoint detection tools.

How It Compares

Linux kernel exploit PoCs are not uncommon in the security research community. Projects targeting similar kernel-level vulnerabilities—such as exploits for dirty pipe,Dirty COW, or various eBPF-related flaws—have been released over the years. What distinguishes this particular PoC is its Rust implementation, which is still relatively uncommon in the exploit development space where C and assembly dominate.

Compared to large offensive frameworks like Metasploit, which bundles dozens of exploits and payloads, this project is minimal by design. It does one thing: it demonstrates CVE-2026-31431 with a user-supplied payload. That narrow focus is both a strength and a limitation. It is easier to audit and understand than a sprawling framework, but it lacks the automation, encoding, and evasion features that more mature toolkits provide.

For researchers specifically tracking Linux kernel copy-related vulnerabilities, this PoC fills a niche. It provides a clean, well-documented starting point rather than requiring teams to develop their own exploit from scratch.

This PoC serves as a solid reference for anyone studying CVE-2026-31431 or Linux kernel exploitation techniques more broadly. It is compact, written in a modern language, and paired with a detailed technical write-up that explains the "why" behind the exploit. The source code and full technical analysis are available at CVE-2026-31431-Linux-Copy-Fail, with the accompanying write-up hosted at iss4cf0ng.github.io.