Copy-fail-CVE-2026-31431 is a GitHub repository from theori-io that releases a proof-of-concept exploit for CVE-2026-31431, a local privilege escalation (LPE) vulnerability in the Linux kernel. The issue, dubbed "Copy Fail," dates back nine years and affects core kernel copy operations. Theori's Xint Code team discovered it, and the project has garnered 3502 stars since its release. Written in Python, it targets specific kernel versions across popular distributions.
The repository links directly to a detailed technical writeup on the discoverer's site, providing analysis of the root cause and exploitation steps. Users interested in kernel security can find reproduction details there, along with the exploit code itself. This setup allows researchers to verify the vulnerability on matching systems without needing to reverse-engineer from scratch.
What the exploit targets
CVE-2026-31431 enables a local user to escalate privileges to root through flawed handling in kernel copy functions. The proof-of-concept demonstrates this on unpatched kernels, confirming elevation from a standard user account. The project's README specifies four tested environments, ensuring reproducibility on those exact setups:
| Distro | Version |
|---|---|
| Ubuntu 24.04 LTS | 6.17.0-1007-aws |
| Amazon Linux 2023 | 6.18.8-9.213.amzn2023 |
| RHEL 10.1 | 6.12.0-124.45.1.el10_1 |
| SUSE 16 | 6.12.0-160000.9-default |
These kernels span cloud (AWS-focused Ubuntu, Amazon Linux) and enterprise (RHEL, SUSE) deployments. Running the exploit on these versions triggers the LPE, as outlined in the linked writeup at https://xint.io/blog/copy-fail-linux-distributions. The Python implementation keeps the code straightforward, relying on standard library calls for kernel interaction.
Getting it running
Start by cloning the repository:
git clone https://github.com/theori-io/copy-fail-CVE-2026-31431.git
cd copy-fail-CVE-2026-31431
The project uses Python, so ensure Python 3 is installed on a vulnerable system matching the tested kernels. No additional dependencies appear in the provided README excerpt, but check the repository files for any requirements.txt or setup instructions. Execute the exploit script as a local user on one of the listed kernel versions—typically via python3 exploit.py or the named entrypoint script (details in repo).
Test only on isolated lab machines. Kernel exploits can destabilize systems or trigger crashes if mishandled. The technical writeup expands on prerequisites, such as disabling mitigations like KASLR if present, and exact reproduction commands. After cloning, review the source code to understand the copy operation trigger before running.
For containerized testing, users might spin up Docker images with the specified distros and kernels, mounting the exploit code inside. For example, pull an Ubuntu 24.04 AWS image, verify uname -r matches 6.17.0-1007-aws, then run the Python script. This approach isolates impact from host systems.
Who this is for
Security researchers reproducing CVEs benefit most, as the PoC confirms the nine-year dormancy of this kernel flaw across distros. Red teams assessing LPE paths in enterprise environments—like RHEL or SUSE deployments—can integrate it into audits. Penetration testers targeting cloud instances (Amazon Linux, AWS Ubuntu) use it to validate privilege chains.
It's suited for developers hardening custom kernels or contributing patches, since the writeup details the bug's mechanics. Universities teaching kernel exploitation or OS security include such PoCs in curricula. Anyone auditing unpatched servers from 2023-2024 eras should check kernel versions against the table.
Not for novices. Requires Linux internals knowledge to interpret results or debug failures. Ethical use cases dominate: vulnerability disclosure validation, patch testing, or blue-team defense simulations. Production servers stay off-limits; apply vendor patches instead.
Comparisons to similar projects
Other kernel LPE PoCs exist, like Dirty COW (CVE-2016-5195), which also spanned years and distros but targeted a different race condition. Copy Fail focuses on copy operations, narrower than Dirty COW's page fault abuse. Retbleed (CVE-2022-29900+) or similar speculative execution bugs demand more complex tooling, while this Python script runs lighter.
Compared to broader exploit frameworks like Metasploit, this standalone repo avoids bloat—pure PoC at ~3502 stars versus Metasploit's millions. For RHEL/SUSE, it pairs with tools like LinPEAS for recon, but stands alone for this CVE. Alternatives include vendor-provided reproducers post-disclosure, though this predates some patches.
Heavier frameworks like CANARY tokens or kernel fuzzer suites (Syzkaller) serve fuzzing, not targeted LPE. If seeking multi-CVE coverage, check exploit-db.com archives; this project zeroes in on one overlooked flaw.
Scope and limitations
The exploit works reliably on the listed kernels but may fail on patched versions or differing configs (e.g., grsecurity). It's Python-based, so cross-compilation isn't needed, but ARM/x86 mismatches could arise in cloud tests. No Dockerfiles or packages in the repo—users build their own testbeds.
Distros outside the table, like Debian or Arch, lack confirmation; verify kernels manually. For ongoing research, monitor Theori's Xint.io or NVD for updates.
Source code and writeup: https://github.com/theori-io/copy-fail-CVE-2026-31431 and https://xint.io/blog/copy-fail-linux-distributions. Casual users skip this; it's for those dissecting kernel risks.
Comments