Copy Fail 732 Bytes to Root on Every Major Linux Distributio...#2184
Open
carlospolop wants to merge 1 commit intomasterfrom
Open
Copy Fail 732 Bytes to Root on Every Major Linux Distributio...#2184carlospolop wants to merge 1 commit intomasterfrom
carlospolop wants to merge 1 commit intomasterfrom
Conversation
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://xint.io/blog/copy-fail-linux-distributions Content Categories: Based on the analysis, this content was categorized under "Linux Hardening -> Linux Privilege Escalation (add a page for CVE-2026-31431 / page-cache overwrite primitives via AF_ALG+splice; cross-reference existing Dirty Pipe/Dirty COW style LPEs)". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
Title/Context
The post discloses Copy Fail (CVE-2026-31431), a Linux kernel logic bug involving the
authencesnAEAD cryptographic template. It allows an unprivileged local user to trigger a deterministic, controlled 4-byte write into the page cache of any file readable by that user. Because the page cache is what the kernel actually serves forread()</code...🔧 Technical Details
AF_ALG + splice() “page-cache as input pages” trick: If you can feed a file into a pipe and then
splice()it into a kernel consumer (here,AF_ALGcrypto), the consumer’s scatterlist may end up referencing the file’s page-cache pages by reference (zero-copy). Any bug that later treats those pages as writable (directly or via chained scatterlist segments) becomes a primitive to modify a file’s in-memory contents system-wide (affectingread(),mmap(),execve()).Scatterlist boundary-crossing write via incorrect “in-place” AEAD composition: If a framework constructs an in-place operation (
req->src = req->dst) and appends extra scatterlist segments (e.g., authentication tag) into the destination viasg_chain(), any algorithm that writes beyond its contractual output length can cross into the appended segments. When those appended segments are backed by ...🤖 Agent Actions
I’m mapping the repo first and then reading the existing Linux LPE and page-cache write content so the update lands in the right place and doesn’t duplicate what HackTricks already has.
I found two plausible homes: the broad Linux privilege-escalation index and the dedicated
linux-kernel-exploitationsubsection under it. I’m reading several existing kernel-focused pages now to match structure and decide whether this belongs as a new dedicated page or a short subsection.The repo doesn’t already cover this primitive, so I’m adding a dedicated Linux kernel LPE page under the existing
linux-kernel-exploitationsubsection and wiring it intoSUMMARY.md. The page will stay focused on the reusable trick: AF_ALG +splice()turning readable file page-cache pages into a writable destination scatterlist when an AEAD implementation writes past its contract.I’ve finished source validation and I’m writing the new page now. The edit will keep exploit details high-signal and centered on the transferable primitive, with mitigations and references at the end.
The page content is in place and the navigation entry resolves to the new file path. I’m doing one last validation pass now to catch any structural issue before closing out.
Added a new page at copy-fail-af_alg-splice-page-cache-overwrite-cve-2026-31431.md and linked it from SUMMARY.md.
The content is focused on the reusable technique, not just the CVE:
AF_ALG+splice()exposing page-cache pages to a writable destination scatterlist,authencesnwriting 4 bytes past the AEAD output contract, why that becomes a deterministic page-cache overwrite primitive, the typical setuid-root LPE flow, and patch/mitigation guidance with references to the Xint write-up,copy.fail, and upstream Linux commits.I re-read the new page and summary entry after editing. I could not run
mdbook buildbecausemdbookis not installed in this environment.This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.