CVE-2026-31431 “Copy Fail”: a 732-byte pure-Python LPE exploits algif_aead + splice() to corrupt /etc/passwd page cache and gain root on Linux kernels since 2017.
Key Takeaways
Root cause: algif_aead performs AEAD ops in-place; when source is splice()d from a file, the kernel writes a 4-byte AAD scratch (seqno_lo) directly into that file’s page-cache page.
The on-disk file is never touched, leaving no signature; only in-memory page cache is corrupted, making detection hard.
exploit_cve_2026_31431.py rewrites the UID field in /etc/passwd‘s page cache to 0000, then calls su for a root shell using the user’s own password via PAM.
Confirmed affected: Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 14.3, SUSE 16; any kernel with commit 72548b093ee3 (2017) unreverted is vulnerable.
Immediate mitigation: disable algif_aead via modprobe.d and rmmod; upstream fix reverts in-place AEAD to out-of-place to keep page-cache pages out of writable scatterlists.
Hacker News Comment Review
Minimal discussion so far; one commenter confirmed the fix is applied on CachyOS 7.0.2-2, pointing to the live exploit demo at copy.fail.
A Debian CVE tracker link was shared, useful for Debian/Ubuntu users tracking patch status.
