pwndbg> info breakpoints

0 TLDR

The name "Copy Fail" is almost ironic. The "copy" is not a normal copy into a private buffer; it is zero-copy splice() carrying a file-backed page reference into the crypto scatterlist path. The "fail" fails as a safety boundary: the AEAD decrypt may return an authentication error, but only after authencesn() has already corrupted the page cache.

This post is the full kill chain: page cache, pipes, splice(), AF_ALG, AEAD request construction, scatterlist walking, the authencesn() scratch write, and finally the PoC path from a 4-byte primitive to code execution. It is long by design. If you follow it end to end, Copy Fail stops being a mysterious one-liner exploit and becomes a clean kernel data-flow bug.

The writeup closes with multi-language exploit implementations tailored for different runtime environments in Chapter 7, for readers who want to jump straight to the final exploits.

Post navigator:

CopyFail Jump Map

01Preface Starts with the promise of the bug: not disk corruption, but a poisoned page-cache view of a read-only executable.

1.1Copy Fail Overview

The clean exploit picture before the machinery is unfolded.

1.2Page Cache Corruption

Why the target is the cached page consumed by exec, not the file on disk.

1.3Study Resources

The outside material used to frame the research path.

02Environment Setup Pins the vulnerable lab and pre-install runtime debugging tooling for later observations.

2.1Lab Baseline

Freezes the target kernel and prepares the analysis machine.

2.1.1 Ubuntu Image Installation 2.1.2 Tooling Installation

2.2Kernel Symbols and Source Mapping

Makes bpftrace, GDB, and source references line up.

03Kernel Prerequisites Must-know kernel insights: file-backed exec, pipe buffers, splice, AF_ALG socket, scatterlists, the vulnerable authencesn decrypt implementation.

3.1File-backed Execution and Page Cache

Shows where executable bytes actually come from once a file is mapped and faulted in.

3.1.1 File-backed Executable Mappings 3.1.2 ELF Loading Through Execve 3.1.3 Linux Page Cache 3.1.3.1 Runtime Cache Inspection 3.1.3.2 Page-cache Object Model 3.1.3.3 Executable Fault Path 3.1.3.4 Cache Lookup 3.1.3.5 Buffered Read Path 3.1.3.6 Page-cache Takeaway 3.1.4 Page-cache Write Boundary

3.2Pipe Buffers and Zero-copy Splice

Explains how a file page reference can move without becoming a private userspace copy.

3.2.1 Pipe Buffer Model 3.2.2 Page References in Pipe Buffers 3.2.3 Zero-copy Transfer Model 3.2.4 Splice-backed Page Movement 3.2.4.1 File -> Pipe 3.2.4.2 Pipe -> Socket

3.3AF_ALG Crypto Request Pipeline

Follows crypto socket input until it becomes an AEAD request backed by scatterlists.

3.3.1 AF_ALG Socket Interface 3.3.1.1 Userspace Call Pattern 3.3.1.2 Algorithm Selection 3.3.1.3 AF_ALG Family Resolution 3.3.1.4 Control Socket and Operation Socket Split 3.3.1.5 AEAD Request Submission 3.3.2 AEAD Buffer Contract 3.3.3 Scatterlist Through Scatterwalk 3.3.3.1 Logical View 3.3.3.2 Scatterlist Entry Layout 3.3.3.3 Scatterlist Chaining 3.3.3.4 Scatterwalk Mechanics 3.3.3.5 Output-boundary Crossing 3.3.4 AEAD Request Scatterlist Construction 3.3.4.1 Socket SGLs and Crypto Request SGLs 3.3.4.2 Encryption Request Layout 3.3.4.3 Decryption Request Layout 3.3.4.4 Final AEAD Request Wiring

3.4Authencesn Decrypt Path

Pins the bug to the destination-side write that crosses the output boundary.

3.4.1 AEAD Decrypt Callback Dispatch 3.4.2 The Destination-Side Scratch Writes 3.4.3 Authencesn ESN Shuffle 3.4.4 Decrypt-boundary Write Offset

04Vulnerability AnatomyTurns the prerequisites into the exploit chain and shows where the abstract bug becomes a concrete cached-page write.

4.1Vulnerability Overview

Condenses the chain into the security invariant that fails.

4.2Copy Fail Exploit Chain

Lays out the attacker-controlled data flow in exploit order.

4.3Vulnerable Execution Path

Walks through the kernel path from page installation to code execution.

4.3.1 File-to-pipe Page Installation 4.3.2 Pipe Page Into TX Scatterlist 4.3.3 Chained Decrypt Request Layout 4.3.4 Authencesn Scratch Write 4.3.5 Page-cache Overwrite Primitive 4.3.6 Syscall-level Primitive 4.3.7 Execution from Corrupted Cache

05PoC WalkthroughShrinks the vulnerability into a lab primitive, then proves the four-byte write with C and Python implementations.

5.1Lab Target

Creates the controlled file that makes the overwrite easy to see.

5.2Offset and Layout Choreography

Lines up scratch write position, tag tail, and file offset.

5.2.1 Scratch Write Boundary 5.2.2 Ciphertext and Tag Window 5.2.3 Final Lab Offsets

5.3Primitive Shape

Defines the constants, buffers, and syscall order used by both PoCs.

5.3.1 UAPI Constants 5.3.2 Transform Configuration 5.3.2.1 Key Blob Layout 5.3.2.2 Authentication Tag Size 5.3.3 Request Metadata 5.3.4 Write Source Vs Write Target 5.3.5 Syscall Ordering

5.4PoC in C

A direct C version of the primitive with native Linux syscalls.

5.4.1 C PoC 5.4.2 Verification

5.5PoC in Python

An easy-understanding Python version with in-place logic.

5.5.1 Python PoC 5.5.2 Verification

06Hack in MotionMoves from static reasoning to runtime proof, watching the page travel through splice and crypto code.

6.1Instrumentation Setup

Prepares the tracing environment.

6.2Page Cache Before and After

Shows the cached bytes changing while disk stays clean.

6.3Inspect File to Pipe

Confirms the file-backed page enters the pipe path.

6.4Inspect Pipe to AF_ALG

Shows that the same page-backed data reaches the crypto socket.

6.5Inspect Authencesn Scratch Write

Catches the vulnerable write at the final boundary.

07Exploit ImplementationsStarts with the official 732-byte exploit, then rebuilds the technique into readable and portable variants.

7.1Official Release

Decodes the authencesn key blob and the compressed ELF payload.

7.1.1 732-byte Python Exploit 7.1.2 Artifacts From Origin 7.1.2.1 Authencesn Key Blob 7.1.2.2 Zlib Payload Blob

7.2Full Python Script

A clearer and tuned Python exploit.

7.3C Exploit

Moves arbitrary payload construction and the exploit driver into a C workflow.

7.3.1 Arbitrary Code Execution 7.3.1.1 Shellcode + Manual ELF Carrier 7.3.1.2 Direct ELF Payload From msfvenom 7.3.2 C Exploit Script

7.4Assembly Exploit

A syscall-only reference implementation.

7.5Perl Exploit

A runtime-friendly port for machines where may be sandboxed but Perl is available.

7.6BusyBox-only Exploit

A self-extracting runner for constrained environments.

08AppendixCollects the reference material: source links, structure names, syscall reminders, probes, and mitigation notes.

8.1Kernel Source References

Primary source links for the functions used in the chain.

8.2Important Structures Cheat Sheet

The key structs behind page cache, pipe, socket, and crypto state.

8.3Syscall Cheat Sheet

The exploit syscall sequence in reference form.

8.4Bpftrace Scripts

Reusable probes for runtime verification.

8.5Mitigation

Patch and hardening notes.

1 Preface

1.1 Copy Fail Overview

"Copy Fail" is the name given to CVE-2026-31431, a Linux kernel vulnerability that allows a low-priviledge user to instantly escalate to root, by overwriting the protected page-cache kernel memory which belongs to any read-only files.

The vulnerability exists in the interaction between:

the Linux kernel crypto subsystem (AF_ALG),
Linux zero-copy pipe mechanisms (splice()),
and page-cache buffer handling.

Under the vulnerable scenario, the kernel mistakenly allows attacker-controlled data to be copied into file-backed cached pages, that should never become writable through unprivileged operations.

The conceptual attack flow looks like this:

    userspace                        kernel
════════════════════════════════════════════════════

 normal process
       │
       │ socket(AF_ALG) + splice()
       │
       ▼
┌───────────────────┐            ┌──────────────────────┐
│ vulnerable "copy" │───────────▶│ page cache corruption│
└───────────────────┘ unintended │ (readonly file page) │                   
                      write      └──────────┬───────────┘   
                                            │
                                            │ cached executable 
┌────────────────────┐                      │ code page modified
│ target SUID binary │ ◀────────────────────┘
└────────┬───────────┘             
         │
         │ executes modified code
         │
         ▼
        root

    userspace                        kernel
════════════════════════════════════════════════════

 normal process
       │
       │ socket(AF_ALG) + splice()
       │
       ▼
┌───────────────────┐            ┌──────────────────────┐
│ vulnerable "copy" │───────────▶│ page cache corruption│
└───────────────────┘ unintended │ (readonly file page) │                   
                      write      └──────────┬───────────┘   
                                            │
                                            │ cached executable 
┌────────────────────┐                      │ code page modified
│ target SUID binary │ ◀────────────────────┘
└────────┬───────────┘             
         │
         │ executes modified code
         │
         ▼
        root

The high-level picture is clean and easy to understand. Historically, many Linux kernel privilege escalations relied on fragile timing windows, TOCTOU bugs, or memory races, with Dirty COW being the classic example. Copy Fail, however, behaves much more deterministically with page cache corruption driven through kernel data-flow.

1.2 Page Cache Corruption

Unlike traditional file corruption vulnerabilities, Copy Fail does not directly modify the file stored on disk. Instead, it corrupts the in-memory page-cache representation of the file maintained by the Linux kernel.

If we are familiar with how Linux userspace memory maps into kernel, the concept is trial to understand:

      disk                             kernel
════════════════════════════════════════════════════
   [VICTIM]
┌──────────────┐  mapped into physical memory
│ /usr/bin/su  │──────────────────────────┐
└──────────────┘                          │         
any SUID binary                           │
original bytes                            │    
                                          │
                                          ▼
                  [TARGET]     ┌────────────────────┐
             cached .text page │  page cache page   │
             executable in RAM └──────────┬─────────┘
                                          │
                                          │ Copy Fail
                                          │ corrupts here
   [TRIGGER]    SUID process maps         ▼
┌─────────────┐ corrupted code   ┌─────────────────┐ 
│ User calls  │─────────────────▶│ corrupted .text │
│ /usr/bin/su │                  │ page in cache   │ 
└──────┬──────┘                  └────────┬────────┘                            
       │                                  │
       ▼                 shell code       │
 exected as root  ◀───────────────────────┘

      disk                             kernel
════════════════════════════════════════════════════
   [VICTIM]
┌──────────────┐  mapped into physical memory
│ /usr/bin/su  │──────────────────────────┐
└──────────────┘                          │         
any SUID binary                           │
original bytes                            │    
                                          │
                                          ▼
                  [TARGET]     ┌────────────────────┐
             cached .text page │  page cache page   │
             executable in RAM └──────────┬─────────┘
                                          │
                                          │ Copy Fail
                                          │ corrupts here
   [TRIGGER]    SUID process maps         ▼
┌─────────────┐ corrupted code   ┌─────────────────┐ 
│ User calls  │─────────────────▶│ corrupted .text │
│ /usr/bin/su │                  │ page in cache   │ 
└──────┬──────┘                  └────────┬────────┘                            
       │                                  │
       ▼                 shell code       │
 exected as root  ◀───────────────────────┘

After the page-cache corruption, the victim binary, such as a SUID executable owned by root, can still appear untouched on disk — but the executable bytes consumed by the kernel may already be modified in memory.

That results in a jalibreak on a critical kernel security invariant:

Kernel read-only cached file pages must never become writable through unprivileged users.

1.3 Study Resources

Articles worth reading to have an initial overview of the vulnerability and kernel exploitation, that are referenced throughout this writeup:

Linux kernel programming: GitHub - PacktPublishing/Linux-Kernel-Programming
Linux network programming: GitHub - nguyenchiemminhvu/LinuxNetworkProgramming
Copy Fail official page: Copy Fail — CVE-2026-31431
Copy Fail official writeup: Copy Fail: 732 Bytes to Root on Every Major Linux Distribution. - Xint

Pages: 1 2 3 4 5 6 7 8

CVE-2026-31431 Copy Fail: When the Copy Is Not a Copy and the Failure Comes Too Late

0 TLDR

1 Preface

1.1 Copy Fail Overview

1.2 Page Cache Corruption

1.3 Study Resources

HTB Writeup – SmartHire

HTB Writeup – Reactor

Comments | NOTHING

Cancel Reply