Copy Fail (CVE-2026-31431) Frequently asked questions about ...#2190
Open
carlospolop wants to merge 1 commit intomasterfrom
Open
Copy Fail (CVE-2026-31431) Frequently asked questions about ...#2190carlospolop wants to merge 1 commit intomasterfrom
carlospolop wants to merge 1 commit intomasterfrom
Conversation
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://www.tenable.com/blog/copy-fail-cve-2026-31431-frequently-asked-questions-about-linux-kernel-privilege-escalation Content Categories: Based on the analysis, this content was categorized under "Linux Hardening -> Linux Privilege Escalation (add a new page for CVE-2026-31431 / page-cache-only file modification primitive, referencing Copy Fail alongside Dirty COW/Dirty Pipe-style techniques)". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
Title/Context: Tenable FAQ covering Copy Fail (CVE-2026-31431), a Linux kernel local privilege escalation (LPE) in the kernel cryptographic subsystem. The post states the bug has been present since 2017, impacts virtually every major Linux distribution, and affects systems shipping Linux kernel 4.14+. Severity is CVSSv3 7.8 (High).
...
🔧 Technical Details
Page-cache-only privileged binary tampering → root (CVE-2026-31431): If you can obtain a kernel primitive that alters a file’s in-memory page cache without changing the file on disk, you can target a root-executed or setuid privileged binary and inject changes that exist only at runtime. Trigger execution of the privileged binary to run attacker-controlled content and escalate to root. Because the disk file remains unchanged, disk-based integrity checks may not detect the tampering; the changes disappear after reboot or cache eviction.
Attack-surface reduction by removing the vulnerable kernel entry point: When a kernel LPE is reachable through a specific optional interface, you can sometimes break exploitation by preventing that interface from initializing or loading. For Copy Fail, Tenable cites disabling the
algif_aeadmodule via a modprobeinstall ... /bin/falserule (and unloading it), or blacklist...🤖 Agent Actions
I’m mapping the repo first and then reading the Linux/kernel privilege escalation pages that are closest to Dirty COW, Dirty Pipe, and page-cache abuse so the placement decision is defensible.
The initial scan shows there is no existing Copy Fail coverage, but there are several nearby pages on Linux kernel exploitation and write-to-root primitives. I’m reading those now to decide whether this belongs in an existing kernel exploitation page or a dedicated page under the Linux privilege escalation tree.
I’ve narrowed this to one of two places:
write-to-root.mdfor the primitive itself, or a dedicated Linux privesc page if the technique is distinct enough. Before editing, I’m validating the mechanics against the disclosure thread, the upstream fix, and the public PoC so the content stays technique-focused rather than CVE-focused.I’ve decided to update
write-to-root.mdinstead of creating a new page. The new material fits that page’s theme better than a CVE-specific page, and it avoids spreading essentially one primitive across multiple files.I’m patching
write-to-root.mdby adding a generic page-cache-only file modification section, not a Copy Fail write-up. The goal is to capture the reusable privesc primitive, the AF_ALG +splice()access path, and the mitigation/detection implications without duplicating CVE timeline material.The patch is in place. I’m doing one last pass on the rendered structure and diff to make sure the file still ends with a single
## Referencesblock and the training include remains intact.Updated write-to-root.md with a new section for the page-cache-only privileged binary tampering primitive, using Copy Fail only as the example path. I kept it technique-focused: how cached file-backed pages can be turned into a runtime-only write primitive, why this differs from Dirty COW / Dirty Pipe, how
AF_ALG+splice()enabled it here, and what to check or disable (algif_aead) when assessing exposure.Only that one file was modified. I also updated the file’s final
## Referencessection with the Tenable post, oss-security disclosure, kernel fix, advisory, and Theori/Xint writeup. No automated tests were needed for this markdown-only change.This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.