Patch Your Kernel NOW: 732byte Python rootkit, cracks all distros since 2017
A critical Linux kernel vulnerability, CVE-2026-31431 ('Copy Fail'), allows local privilege escalation by exploiting a page-cache corruption flaw in the algif_aead subsystem, affecting all major distributions since 2017. The vulnerability enables unprivileged users to modify in-memory representations of system files like /etc/passwd without altering the on-disk version, potentially gaining root access. Proof-of-concept Python scripts have been released to detect and exploit the issue, urging immediate patching.
- ▪CVE-2026-31431 is a local privilege escalation vulnerability in the Linux kernel's AF_ALG in-place AEAD operation, present since commit 72548b093ee3 in 2017.
- ▪The exploit corrupts page-cache copies of files such as /etc/passwd using a 4-byte scratch write, allowing UID modification to gain root privileges.
- ▪Proof-of-concept tools are written in pure Python 3.10+ and do not require external dependencies.
- ▪The vulnerability affects Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 14.3, and SUSE 16, though the underlying issue predates these versions.
- ▪The on-disk file remains unchanged, making detection difficult without inspecting in-memory page cache state.
Opening excerpt (first ~120 words) tap to expand
CVE-2026-31431 ("Copy Fail") Toolkit Detector and proof-of-concept LPE for the Linux algif_aead / authencesn page-cache scratch-write bug disclosed 2026-04-29. Disclosure writeup: https://xint.io/blog/copy-fail-linux-distributions Authorization Use only on hosts you own or are explicitly engaged to assess. The LPE modifies in-memory state (page cache) but the technique is real privilege escalation — running it on systems without authorization is illegal in most jurisdictions. Vulnerability summary algif_aead runs AEAD operations in-place (req->src == req->dst). When the source data is fed in via splice() from a regular file, the destination scatterlist contains references to the file's page-cache pages — i.e. the kernel will write into them.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at GitHub.