A Linux local privilege escalation that needs neither a race window nor a kernel-specific offset is uncommon enough to be worth examining. Copy Fail (CVE-2026-31431) targets the kernel crypto API via AF_ALG, overwrites page cache data in a SUID binary such as /usr/bin/su, and hands an unprivileged user a root shell. The exploit ships as a 732-byte Python script or a compiled C ELF. Every Linux distribution released since 2017 is reportedly vulnerable. The GitHub repo by painoob has 93 stars at the time of writing.

Architecture

The vulnerability sits in the kernel's AF_ALG socket family, specifically the algif_aead interface. An unprivileged process can interact with this interface to manipulate cryptographic operations in a way that corrupts page cache entries belonging to a SUID binary already loaded in memory. The exploit does not write to disk. It modifies the page cache only, so the change is non-persistent and evaporates once the binary is reloaded or the system reboots.

The exploit comes in two forms: a Python script and a C program. The Python version relies on os.splice and socket(AF_ALG), both of which require Python 3.10 or newer. The C version compiles with a single gcc invocation and has no runtime dependency on Python. Both achieve the same outcome—root access via a modified SUID binary—using the same underlying kernel flaw.

What you can do with it

The README documents three ways to execute the Python exploit: running it directly, piping it from a remote URL via curl, or running the compiled C binary. After the exploit fires, the typical validation step is invoking su and checking id for a UID of 0.

Vulnerability checks are also part of the documented workflow. The repo recommends grepping /proc/crypto for authencesn(hmac(sha256),cbc(aes)) and confirming algif_aead is loaded via lsmod. These are quick indicators that the target kernel exposes the attack surface.

The README also lists mitigation steps: blacklisting the algif_aead module with a modprobe configuration and applying kernel updates through the system package manager.

Constraints and gotchas

This is not a universal exploit. It requires AF_ALG to be enabled in the kernel and the algif_aead module to be loaded. If either is absent or the kernel has been patched, the exploit fails silently or produces no root shell.

For the Python version, anything below Python 3.10 is a non-starter because os.splice won't be available. Even on 3.10+, a restricted build that omits os.splice will throw an error. The suggested fix is to use a newer Python binary or upload a static interpreter.

On the C side, compilation failures point to missing build tools, and an exploit that runs but doesn't yield root usually means the kernel is already patched, offsets are wrong, or the environment doesn't match the assumptions the exploit makes.

The README explicitly states the exploit requires local access and is not remotely exploitable by default. It also notes that if the exploit fails, operators should look at alternate LPE vectors—SUID binaries, capabilities, sudo misconfigurations—rather than assuming the kernel is safe.

Getting started

Setup is straightforward: the README provides the exact commands for running the Python or C version, checking vulnerability indicators, and compiling the binary. Anyone interested in the quickstart steps should consult the repo's README directly.

When to use it versus alternatives

If you're running local security assessments, CTF challenges, or authorized penetration tests and need a straightforward LPE that avoids complex race conditions, Copy Fail is worth keeping in the toolkit. It's lighter than exploits that require kernel-specific offsets, but it's narrower in scope—only kernels with AF_ALG and algif_aead exposed are in scope. For environments where those modules are disabled or the kernel is patched, this won't work. More general-purpose LPE tools that chain multiple techniques may be a better fit in those cases.

The source is on GitHub.