# Copy Fail - CVE-2026-31431

[Technical Writeup](https://xint.io/blog/copy-fail-linux-distributions)

## Tested Distro / Version
A list of the most recent versions effected.

### x86
|    Distro   |    Version       |
|-------------------|--------------------------|
| Amazon Linux 2023 | 6.18.8-9.213.amzn2023    |
| Alphine Linux     | 6.18.25-0-virt #1-Alpine |
| Ubuntu 24.04 LTS  | 6.17.0-1007-aws          |
| RHEL 10.1         | 6.12.0-124.45.1.el10_1   |
| SUSE 16           | 6.12.0-160000.9-default  |
| NixOS 25.11       | 6.12.83                  |
| Trisquel 12       | 6.18.21-generic-libre    |
| GUIX              |  ????????????            |
| ChromeOS  |  ????????????            |
| OpenWRT   | ??????????               |

This exploit effects DOCKER containers, but not VMs.

### aarch64
|    Distro   |    Version       |
|-------------------|-------------------------|
| Asahi Linux       | 6.19.14-asahi           |
| Ubuntu 24.04 ARM LTS  |  6.17.0-1011-oracle |
| RaspbianOS ?   |  ????  |

### unaffected
|    Distro   |    Version       | Reason |
|-------------------|-------------------------|---------|
| Devuan | 6.12.74+deb13+1-amd64 | algif_aead is not used by kernel |
| Debian 12 | 6.1.0-40-amd64 | Predates the exploit occurance (6.1.0-41 works)|
| Android 16 | 6.1.166-android14-11 | Permission to create socket in busybox not allowed |

## Files
check.sh - makes a check to see if the exploitable crypto module is loaded.
mitigate.sh - unloads the exploitable crypto module, chances are you didnt need it anyway.

copy_fail.py - the complete exploit writeup in plain python code.


copy_fail_exp.py - the exploit in pure python for x86 systems.
copy_fail_exp_aarch64.py - the exploit in pure python for aarch64 systems.


run to get the file as a non-privilaged user.
```
 curl https://git.jonstarkey.co.uk/jon/CVE-2026-31431-tools/raw/branch/main/copy_fail_exp.py
```
or
```
 curl https://git.jonstarkey.co.uk/jon/CVE-2026-31431-tools/raw/branch/main/copy_fail_exp_aarch64.py

```