CVE-2026-31431

This repository contains a functional exploit for CVE-2026-31431, a Linux kernel vulnerability in the AF_ALG AEAD interface that allows unprivileged users to write arbitrary data to the page cache of readable files, bypassing file permissions and integrity checks. The exploit demonstrates local privilege escalation by modifying /etc/passwd to remove the root password.

This repository contains a functional C-based exploit for CVE-2026-31431, a Linux kernel privilege escalation vulnerability in the AF_ALG interface. The exploit manipulates kernel memory via splice system calls to overwrite /bin/su with a malicious payload, granting root access.

This repository provides two eBPF programs to mitigate CVE-2026-31431, a local privilege escalation vulnerability involving AF_ALG socket creation. The programs either filter or kill processes attempting to exploit the vulnerability, depending on kernel support for eBPF LSM.

This repository contains a Go implementation of CVE-2026-31431, a Linux local privilege escalation (LPE) exploit targeting a vulnerability in the AF_ALG cryptographic socket interface. The exploit leverages a logic flaw to overwrite page cache contents, allowing arbitrary file modification and privilege escalation.

This repository contains a functional exploit for CVE-2026-31431, leveraging an AF_ALG aead vulnerability to achieve cross-container escape by injecting a persistent hook into the page-cache of libc.so.6, allowing command execution in sibling containers sharing the same image layer.

This repository provides a detection toolkit for CVE-2026-31431, a Linux kernel local privilege escalation vulnerability. It includes tools for checking vulnerability exposure, detecting exploitation via auditd, eBPF, and page-cache comparison, and mitigating the risk.

This repository contains a Go-based proof-of-concept exploit for CVE-2026-31431, targeting a Linux kernel vulnerability via the AF_ALG interface and splice(2) system calls. The PoC is designed to trigger the vulnerability and includes embedded payloads for different architectures (amd64, arm64, 386).

This repository provides a mitigation suite for CVE-2026-31431, focusing on the Linux AF_ALG subsystem. It includes tools for runtime observability, configuration hardening, and kernel state auditing, but does not contain exploit code.

This repository contains a functional exploit for CVE-2026-31431, a container escape vulnerability leveraging runC. The exploit uses AF_ALG socket operations to manipulate memory and achieve privilege escalation, allowing execution of arbitrary commands (e.g., 'su') outside the container.

This repository contains a functional exploit PoC for CVE-2026-31431 (CopyFail), which allows unprivileged users to mutate files in the Linux page cache. It includes multiple exploit vectors (su, passwd, pam) and detection tools to identify tampering.

This repository provides a detailed technical analysis and mitigation strategies for CVE-2026-31431, a local privilege escalation vulnerability in the AF_ALG `authencesn` page-cache primitive. It includes a defense-in-depth approach with an LD_PRELOAD shim and a host auditor, but does not contain functional exploit code.

This repository contains a BPF-LSM mitigation for CVE-2026-31431, a privilege escalation vulnerability in the Linux kernel crypto API (AF_ALG). The PoC blocks AF_ALG socket creation via a BPF program attached to the socket_create hook, preventing exploitation of the vulnerability.

This repository contains a functional exploit for CVE-2026-31431, demonstrating a cache poisoning vulnerability in the Linux kernel's AF_ALG socket interface. The exploit patches arbitrary files by manipulating the kernel's crypto API through crafted socket operations.

The exploit leverages a Linux kernel vulnerability (CVE-2026-31431) to achieve local privilege escalation by manipulating socket options and splicing file descriptors. It overwrites the `/usr/bin/su` binary with a malicious payload, then executes it to gain root access.

The repository contains a functional exploit for CVE-2026-31431, a Linux kernel local privilege escalation vulnerability. The exploit leverages a logic flaw in the `splice()` function combined with the `authencesn` AEAD implementation to achieve arbitrary write access to read-only file page caches, leading to privilege escalation.

This repository contains multiple functional exploit implementations (Python, C, Perl, assembly) for CVE-2026-31431, a Linux local privilege escalation vulnerability involving improper handling of file copies in the kernel's splice mechanism. The exploits demonstrate a memory corruption primitive to overwrite target binaries with attacker-controlled code.

The repository contains a Go-based tool ('vcheck') designed to audit remote Linux hosts over SSH for specific kernel-module vulnerabilities (CVE-2026-31431, CVE-2026-43284, CVE-2026-43500). It checks for loaded modules, kernel logs, and blacklist status, and can optionally apply mitigations by blacklisting vulnerable modules.

This repository contains a functional local privilege escalation exploit for CVE-2026-31431, leveraging AF_ALG + splice() + authencesn to corrupt the page cache of a setuid binary (e.g., /usr/bin/su) and inject a malicious ELF payload. The exploit includes both Python and C implementations, along with detection and mitigation scripts.

This repository contains an Ansible playbook designed to mitigate CVE-2026-31431 (CopyFail) and CVE-2026-43284 (DirtyFrag) by unloading and disabling vulnerable kernel modules (algif_aead, esp4, esp6, rxrpc). It includes checks for loaded modules and persists mitigation via modprobe configuration.

This repository contains a functional exploit for CVE-2026-31431, a local privilege escalation vulnerability in Linux kernels 4.11 to 6.17.x. The exploit leverages a flaw in the AF_ALG socket interface's handling of scatter-gather lists during AEAD decryption to overwrite arbitrary readable file page cache, enabling privilege escalation by modifying setuid binaries.

This repository provides a defensive toolkit for assessing and mitigating exposure to CVE-2026-31431, a Linux kernel vulnerability in the `algif_aead` / `AF_ALG` component. It includes scripts for exposure assessment, mitigation via modprobe blocking, and seccomp profile generation, but does not contain an actual exploit.

This repository provides a detailed technical analysis of CVE-2026-31431, a local privilege escalation vulnerability in the Linux kernel's cryptographic subsystem (algif_aead). The writeup includes root cause analysis, exploitation steps, affected versions, and mitigation strategies.

This repository provides a bash script to detect the presence and vulnerability status of the `algif_aead` local root vulnerability (CVE-2026-31431) in Linux systems. It checks kernel configuration, module state, AF_ALG socket reachability, and applied mitigations without executing exploit code.

This repository contains a functional Rust-based exploit for CVE-2026-31431, a local privilege escalation vulnerability in the Linux kernel's `algif_aead` module. The exploit leverages a logic flaw to overwrite page cache contents of setuid binaries, granting root access. It also includes a defensive eBPF-based tool to block the exploit.

This repository contains a functional exploit for CVE-2026-31431, a Linux kernel vulnerability in the AF_ALG crypto subsystem that allows a 4-byte arbitrary write in the page cache, leading to local privilege escalation (LPE). The exploit dynamically calculates ELF entry point offsets to overwrite SUID binaries with shellcode, making it universally applicable across different kernel and binary versions.

The repository claims to be an exploit for CVE-2026-31431 but lacks actual exploit code, instead promoting external downloads and additional features like payload encryption and multi-architecture support without technical details.

This repository contains a functional Rust-based exploit for CVE-2026-31431, a Linux kernel vulnerability in AF_ALG and splice() that allows local privilege escalation via arbitrary page cache writes. The exploit includes shellcode execution capabilities and supports custom payloads like Meterpreter.

This repository contains functional exploit code for CVE-2026-31431, a Linux local privilege escalation (LPE) vulnerability. The exploit leverages an AF_ALG/splice page-cache overwrite primitive to modify runtime views of privileged files (e.g., `su`, PAM configurations) to gain root access. The code includes multiple modes for patching, reverting, and helper binary creation.

The exploit leverages a Linux kernel vulnerability (CVE-2026-31431) to achieve local privilege escalation by manipulating socket options and splicing file descriptors. The PoC overwrites the `/usr/bin/su` binary with a malicious payload, then executes it to gain root access.

This repository contains a defensive bash script that checks for the presence and loadability of the algif_aead kernel module, which is associated with CVE-2026-31431 (Copy Fail). It does not exploit the vulnerability but scans for potential exposure.

This repository contains a functional bash script that exploits CVE-2026-31431, a Linux kernel vulnerability in the AF_ALG AEAD socket interface. The exploit allows local privilege escalation by corrupting the page cache of setuid binaries via a deterministic 4-byte write, leading to root access.

This repository provides a mitigation script and detailed documentation for CVE-2026-31431, a Linux kernel vulnerability in the `algif_aead` module that allows local privilege escalation. The script disables the vulnerable module, updates the kernel, and optionally sets up automated updates.

The repository contains a functional Python exploit for CVE-2026-31431, a Linux kernel vulnerability in the `authencesn` AEAD template that allows local privilege escalation by corrupting `/usr/bin/su` in memory via a 4-byte out-of-bounds write.

This repository contains a functional BPF LSM program that blocks AF_ALG socket creation and logs attempts via a ring buffer to userspace, addressing CVE-2026-31431. The exploit includes both kernel-space BPF code and a userspace daemon for logging.

This repository contains a read-only detection script for CVE-2026-31431, a local privilege escalation vulnerability in the Linux kernel's algif_aead module. The script checks kernel versions, module status, and distro-specific patches without executing any exploit code.

This repository contains a detection script for CVE-2026-31431, a Linux kernel local privilege escalation vulnerability in the algif_aead module. The script checks kernel versions, module status, and distribution-specific patches without exploiting the vulnerability.

The repository contains a functional exploit for CVE-2026-31431, a Linux kernel local privilege escalation vulnerability in the `algif_aead` cryptographic subsystem. The exploit leverages a 4-byte write primitive into the page cache to patch setuid binaries like `/usr/bin/su` and achieve root access.

This repository is a scaffold for a kernel security framework targeting multiple CVEs, including CVE-2026-31431, but lacks functional exploit code. The files are placeholders with minimal implementation, as indicated by 'scaffold' status and TODO comments.

This repository provides a detailed technical analysis of CVE-2026-31431, a local privilege escalation vulnerability in the Linux kernel's AF_ALG subsystem, specifically the algif_aead module. It includes root cause analysis, affected versions, exploitation details, and mitigation strategies.

This repository contains a Python CLI tool designed to detect and mitigate CVE-2026-31431, a privilege escalation vulnerability in the Linux kernel's `algif_aead` module. It does not include exploit code but provides detection and temporary mitigation capabilities.

This repository contains a functional proof-of-concept exploit for CVE-2026-31431, a Linux kernel vulnerability involving faulty in-place handling in the `algif_aead` path. The exploit leverages `AF_ALG`, `splice()`, and file-backed pages to corrupt the page cache, leading to privilege escalation.

This Python script exploits a socket-based vulnerability (CVE-2026-31431) to achieve local privilege escalation by manipulating socket options and file descriptors. It binds to a socket with unusual parameters, sends crafted messages, and attempts to execute '/bin/su' with elevated privileges.

The repository contains a functional exploit for CVE-2026-31431, a Linux kernel local privilege escalation vulnerability in the `algif_aead` cryptographic subsystem. The exploit leverages a 4-byte write primitive into the page cache to patch a setuid binary and escalate privileges to root.

This repository provides a detailed technical analysis of CVE-2026-31431, a Linux kernel privilege escalation vulnerability in the AF_ALG socket interface. It explains the memory corruption mechanism, attack flow, and defensive measures but does not include functional exploit code.

This repository contains functional exploit code for CVE-2026-31431, a local privilege escalation (LPE) vulnerability in the Linux kernel's cryptographic subsystem (algif_aead). The exploit leverages a bug in the page cache handling to overwrite 4 bytes in any readable file, allowing privilege escalation to root.

This repository contains a functional exploit for CVE-2026-31431, demonstrating a local privilege escalation (LPE) vulnerability. The exploit includes binaries for verification and execution, along with detailed steps for usage and mitigation.

The repository contains a functional exploit for CVE-2026-31431, a Linux kernel vulnerability that allows local privilege escalation by manipulating the page cache of files. The exploit leverages the `AF_ALG` interface and `splice()` to inject data into the page cache of a target file, enabling execution of modified content in memory.

The repository contains a functional exploit for CVE-2026-31431, a Linux kernel vulnerability in the `algif_aead` component that allows local privilege escalation via page-cache corruption. The exploit targets `/usr/bin/su` to gain root access.

This repository contains a functional Python exploit for CVE-2026-31431, a Linux kernel vulnerability in AF_ALG/algif_aead that allows page-cache corruption. The toolkit includes detection, mitigation verification, and weaponization paths for privilege escalation (setuid binary patching and /etc/passwd UID manipulation).

This repository contains a functional Python exploit for CVE-2026-31431, which leverages an AF_ALG kernel vulnerability to patch the 'su' binary in memory and escalate privileges. The exploit uses crafted socket operations and splice calls to modify executable memory.

This repository contains a Go-based PoC for CVE-2026-31431, a Linux kernel logic flaw in `authencesn` that enables a deterministic 4-byte write into page cache data via `AF_ALG` + `splice()`. The PoC is functional and includes build automation for multiple architectures.

This repository provides a detailed technical analysis and Ansible-based mitigation playbooks for CVE-2026-31431, a Linux kernel vulnerability in the `algif_aead` module. It includes audit and mitigation steps but does not contain functional exploit code.

This repository contains a functional exploit for CVE-2026-31431, adapted to work within a constrained Java environment. It leverages the AF_ALG socket interface to perform a page cache overwrite, achieving local privilege escalation (LPE) via a Java-based syscall layer and annotation processor trick.

This repository contains a functional local privilege escalation exploit for CVE-2026-31431, targeting a logic bug in the Linux kernel's `authencesn` cryptographic template. The exploit allows an unprivileged local user to perform a controlled 4-byte write into the page cache of any readable file, leading to full root compromise.

This repository contains a Go-based scanner for CVE-2026-31431, designed to detect vulnerability status across multiple Linux distributions. It checks kernel versions, module states, and changelogs without exploiting the vulnerability.

This repository provides a mitigation for CVE-2026-31431 using eBPF (block_alg.bpf.c) and a userspace component (block_alg.c). It includes a Makefile for compilation and a GPLv2 license, but no exploit code or detailed vulnerability analysis.

This repository contains a functional Rust-based exploit for CVE-2026-31431, leveraging a race condition between AF_ALG sockets and splice syscalls to corrupt page cache and overwrite SUID binaries like /bin/su for local privilege escalation.

This repository provides a mitigation script for CVE-2026-31431, a Linux kernel vulnerability in the cryptographic subsystem (algif_aead module). It includes technical details on the vulnerability and scripts to block the vulnerable module.

This repository contains a functional proof-of-concept exploit for CVE-2026-31431, a local privilege escalation vulnerability in the Linux kernel's AF_ALG cryptographic interface. The exploit leverages incorrect page cache handling during AEAD decryption to overwrite in-memory file content, granting an unprivileged user root access.

This repository contains a functional Rust implementation of the Copy Fail exploit (CVE-2026-31431), which chains AF_ALG and splice() syscalls to achieve a 4-byte page cache write, leading to local privilege escalation on vulnerable Linux kernels.

This repository contains a functional exploit for CVE-2026-31431, a Linux kernel vulnerability in the AF_ALG crypto subsystem. The exploit uses socket operations, splice(), and memory corruption to escalate privileges to root by injecting shellcode into the /usr/bin/su binary.

The exploit leverages a Linux kernel vulnerability (CVE-2026-31431) to achieve local privilege escalation by manipulating socket options and splicing file descriptors to overwrite the `/usr/bin/su` binary with a malicious payload. The payload is embedded as a compressed hex string and decompressed at runtime.

This repository contains a functional Go-based exploit for CVE-2026-31431, which leverages a memory corruption vulnerability in the Linux kernel's AF_ALG socket implementation to overwrite the `/usr/bin/su` binary with malicious shellcode, achieving local privilege escalation (LPE). The exploit demonstrates a reliable method to gain root access by corrupting page cache contents via crafted socket operations.

This repository provides a detailed technical analysis and mitigation script for CVE-2026-31431, a local privilege escalation vulnerability in the Linux Kernel affecting versions 4.10 to 6.18.x. The script includes blacklisting vulnerable kernel modules, flushing the Page Cache, and updating the kernel to a patched version.

This repository provides a detailed technical analysis and mitigation strategy for CVE-2026-31431, a Linux kernel vulnerability in the cryptographic API subsystem (AF_ALG) that allows local privilege escalation. It includes a DaemonSet for Yandex Managed Kubernetes to automatically block the vulnerable module.

This repository contains a functional exploit for CVE-2026-31431, leveraging a Linux kernel vulnerability in the AF_ALG socket interface. The exploit uses crafted messages and splice operations to achieve local privilege escalation (LPE) by manipulating kernel memory.

This repository contains a functional exploit for CVE-2026-31431, leveraging a vulnerability in the Linux kernel's AF_ALG socket implementation to achieve local privilege escalation (LPE). The exploit uses crafted messages and splice operations to trigger the vulnerability, ultimately executing `/usr/bin/su` to gain root access.

This repository contains a Go-based proof-of-concept exploit for CVE-2026-31431, targeting a Linux kernel vulnerability via the AF_ALG interface and splice(2) system calls. It includes static binaries for multiple architectures and embeds payloads for each target.

The repository contains a functional Python exploit for CVE-2026-31431, which appears to leverage a socket-based vulnerability to achieve local privilege escalation (LPE) by manipulating file descriptors and socket options. The exploit decompresses and writes a payload to `/usr/bin/su`, suggesting an attempt to overwrite or modify system binaries for privilege escalation.

This repository contains a cross-platform C exploit for CVE-2026-31431, with build workflows for multiple architectures using both glibc and musl. The exploit is statically linked and includes payload handling, indicating a functional proof-of-concept.

The repository contains a functional exploit for CVE-2026-31431, a Linux kernel local privilege escalation vulnerability. The exploit leverages a flaw in the `splice()` function combined with the `authencesn` AEAD implementation to achieve root access by manipulating page cache references.

The repository contains a functional exploit for CVE-2026-31431, a Linux kernel local privilege escalation vulnerability. The exploit leverages a flaw in the `splice()` function combined with the `authencesn` cryptographic module to achieve root access by manipulating page cache references.

This repository contains a functional exploit for CVE-2026-31431, leveraging an AF_ALG + splice() page-cache-mutation vulnerability to achieve local privilege escalation (LPE). The exploit overwrites the page cache of either /usr/bin/su or /etc/passwd to gain root privileges.

This repository contains a functional exploit for CVE-2026-31431, leveraging an AF_ALG + splice() page-cache mutation vulnerability to achieve local privilege escalation (LPE). The exploit overwrites the page cache of /usr/bin/su with a malicious payload, which is then executed with root privileges.

This exploit leverages a splice-based vulnerability (CVE-2026-31431) to overwrite the `/usr/bin/su` binary with malicious shellcode, achieving local privilege escalation. The code uses low-level socket operations and splice syscalls to manipulate file descriptors and inject payloads.

This repository contains a functional exploit for CVE-2026-31431, leveraging AF_ALG socket operations and splice syscalls to trigger memory corruption, enabling local privilege escalation or container escape by patching /usr/bin/su in the page-cache.

This repository contains functional exploit code for CVE-2026-31431, demonstrating a Linux kernel vulnerability in the AF_ALG socket implementation that allows arbitrary page cache manipulation. The exploit uses splice operations to mark pages as dirty and then modifies file content in memory without disk changes.

This repository contains a functional exploit for CVE-2026-31431, a local privilege escalation vulnerability in the Linux kernel's AF_ALG socket interface. The exploit leverages a copy-on-write/length confusion bug to corrupt memory and overwrite the /usr/bin/su binary, achieving root privileges.

This repository contains detection tools for CVE-2026-31431, a Linux kernel LPE vulnerability involving AF_ALG sockets and page cache corruption. It includes scripts to check for vulnerability indicators, monitor system calls via eBPF, and compare page cache vs. disk content.

The repository contains a functional Python exploit for CVE-2026-31431, leveraging AF_ALG socket manipulation to patch the `su` binary in memory and achieve local privilege escalation. The exploit uses crafted `setsockopt` and `sendmsg` calls to overwrite memory regions of the `su` binary, followed by execution to gain a root shell.

The repository contains functional exploit code for CVE-2026-31431, demonstrating a local privilege escalation (LPE) vulnerability. The exploit leverages socket manipulation and memory corruption to overwrite the `/usr/bin/su` binary, enabling root access.

This repository contains a functional Go implementation of CVE-2026-31431, a Linux local privilege escalation (LPE) exploit. It leverages a vulnerability in the AF_ALG cryptographic socket interface to overwrite the page cache of the 'su' binary, replacing it with a malicious payload that grants root access.

This repository contains a functional exploit for CVE-2026-31431, a local privilege escalation vulnerability in the Linux kernel's AF_ALG AEAD socket interface. The exploit corrupts the page cache of setuid-root binaries via a deterministic 4-byte write primitive, allowing an attacker to overwrite the binary with shellcode and gain root access.

This repository contains a Python-based scanner that checks for the presence of CVE-2026-31431, a Linux kernel vulnerability related to the algif_aead module. It verifies kernel versions, module configurations, and system protections but does not include exploit code.

This repository contains a Python-based scanner that checks for the presence of CVE-2026-31431, a Linux kernel vulnerability related to the algif_aead module. It performs checks on kernel version, AF_ALG module status, and system protections like KPTI, SELinux, and AppArmor.

This is a functional Python PoC for CVE-2026-31431, a Linux kernel local privilege escalation vulnerability exploiting AF_ALG and splice() to corrupt the page cache of a readable file (e.g., /usr/bin/su). The exploit uses ctypes for splice() compatibility and achieves root shell access.

The repository contains a functional Python exploit for CVE-2026-31431, a Linux kernel privilege escalation vulnerability. The exploit leverages a socket-based attack to achieve local privilege escalation by manipulating kernel memory structures.

This is a functional local privilege escalation (LPE) exploit for CVE-2026-31431, targeting a kernel vulnerability to patch /etc/passwd and allow passwordless root access via 'su'. It uses socket manipulation and splice operations to overwrite the root entry in /etc/passwd, bypassing password checks.

This repository contains a functional local privilege escalation (LPE) exploit for CVE-2026-31431, leveraging a vulnerability in the Linux Kernel's Cryptographic API (AF_ALG) combined with the splice() system call to corrupt the page cache of /etc/passwd, allowing an unprivileged user to gain root access.

The repository contains a functional Python-based local privilege escalation (LPE) exploit for CVE-2026-31431, leveraging socket manipulation and splice operations to escalate privileges via the `/usr/bin/su` binary.

This repository contains a Go-based tool that mitigates CVE-2026-43500 and CVE-2026-43284 by disabling vulnerable kernel modules (esp4, esp6, rxrpc) and applying kernel updates. It includes functionality to detect vulnerable configurations, apply hotfixes, and clean up artifacts post-update.

This repository contains a functional exploit for CVE-2026-31431, leveraging a Linux AF_ALG vulnerability to overwrite the page cache of `/usr/bin/su` with a malicious payload, achieving local privilege escalation to root. The exploit includes both a vulnerability checker and a full exploit binary.

This repository contains a functional local privilege escalation exploit for CVE-2026-46333, leveraging a race condition in the Linux kernel's `pidfd_getfd` system call to steal file descriptors from the `accounts-daemon` process. The exploit then uses D-Bus calls to escalate privileges by modifying the user's shell, account type, and password.

This repository contains a minimal 436-byte ELF exploit for CVE-2026-31431, leveraging ELF internals to achieve a compact payload. It includes a Makefile for building the exploit, a Python script for patching the binary, and a test VM setup for safe execution.

This repository contains a shell-based scanner for CVE-2026-31431, a local privilege escalation vulnerability in the Linux kernel's cryptographic subsystem. The script checks for vulnerable conditions but does not execute exploit code.

This repository provides an Ansible playbook for remediating CVE-2026-31431, a local privilege escalation vulnerability in the Linux kernel's `algif_aead` implementation. It includes detailed documentation on the remediation process, verification steps, and execution instructions, but does not contain functional exploit code.

This repository contains a Go-based mitigation tool for CVE-2026-31431, which disables vulnerable kernel modules (e.g., algif_aead) and applies system-level mitigations such as modprobe blocking and GRUB configuration updates. It includes build scripts and CI/CD workflows for automated compilation and release.

This is a functional local privilege escalation (LPE) exploit for CVE-2026-31431, leveraging a 4-byte page-cache write primitive to corrupt the UID field in /etc/passwd, tricking PAM into granting root access via `su`.

This repository provides a detailed technical analysis of CVE-2026-31431, including a breakdown of the Python exploit, validation steps, and a deep dive into the embedded ELF payload. It focuses on translating the exploit into x86-64 assembly and includes disassembly and reverse engineering insights.

The repository contains a functional Python exploit for CVE-2026-31431, a local privilege escalation vulnerability in the Linux kernel's cryptographic subsystem. The exploit leverages a flaw in the AF_ALG socket interface combined with splice() to corrupt the page cache of setuid executables, granting root access.

This repository contains a functional Metasploit module that exploits CVE-2026-31431, a logic flaw in the Linux kernel's AF_ALG crypto interface, to achieve local privilege escalation by corrupting the Page Cache of a setuid binary.

This repository contains a detailed technical analysis of CVE-2026-31431, a logical bug in the Linux kernel's cryptographic template that allows local privilege escalation via page cache corruption. The writeup includes objectives, theoretical background, and references but lacks actual exploit code.

This repository contains a functional exploit for CVE-2026-31431, leveraging a 4-byte page-cache write primitive via authencesn(hmac(sha256),cbc(aes)) to corrupt setuid binaries and achieve root privileges. The PoC includes shellcode injection and auto-restoration of the target binary.

This repository contains a functional exploit for CVE-2026-31431, leveraging socket manipulation and file descriptor operations to achieve local privilege escalation (LPE). The exploit uses a crafted ELF payload to execute arbitrary commands with elevated privileges.

This repository contains a functional exploit for CVE-2026-31431, a Linux kernel local privilege escalation vulnerability in the `algif_aead` module. The exploit leverages a page cache corruption flaw via `AF_ALG` and `splice()` to achieve root privileges.

The exploit leverages a Linux kernel vulnerability (CVE-2026-31431) to achieve local privilege escalation by manipulating socket options and splicing file descriptors. It overwrites the `/usr/bin/su` binary with a malicious payload to gain root access.

This repository contains a Go-based mitigation tool for CVE-2026-31431, which disables vulnerable kernel modules (e.g., algif_aead) and applies system-level mitigations to prevent exploitation. It includes CI/CD workflows for building and releasing the tool.

This repository contains a functional proof-of-concept exploit for CVE-2026-31431, a local privilege escalation vulnerability in the Linux kernel's cryptographic subsystem. The exploit leverages a logical bug in the AF_ALG module to write controlled bytes into the page cache of arbitrary files, enabling privilege escalation.

The repository contains a functional Python exploit for CVE-2026-31431, targeting a Linux kernel vulnerability. The exploit manipulates socket options and file descriptors to achieve local privilege escalation (LPE) by overwriting the `/usr/bin/su` binary with a malicious payload.

The repository contains only a minimal README with no exploit code, technical details, or meaningful content related to CVE-2026-31431.

This script mitigates a privilege escalation vulnerability by disabling vulnerable kernel modules (esp4, esp6, rxrpc) and clearing cache. It is a functional fix for CVE-2026-31431, likely related to a kernel-level exploit.

This Python script exploits a vulnerability (CVE-2026-31431) by manipulating socket options and sending crafted messages to achieve arbitrary code execution. It overwrites the `/usr/bin/su` binary with a decompressed payload and executes it.

This repository contains a functional mitigation script for CVE-2026-31431, a Linux kernel local privilege escalation vulnerability in the algif_aead module. The script disables the vulnerable module, upgrades the kernel, and optionally sets up automated updates.

The repository contains a README with detection and mitigation commands but no actual exploit code. The 'exploit' section directs users to download and execute a script from an external URL, which is a common social engineering tactic.

This repository contains a functional C++/x86-64 assembly implementation of CVE-2026-31431 (Copyfail), which exploits a vulnerability in the Linux kernel's AF_ALG socket interface to achieve local privilege escalation (LPE). The exploit crafts malicious control messages to manipulate kernel memory and ultimately spawns a root shell.

This repository contains a functional exploit for CVE-2026-31431, a Linux kernel privilege escalation vulnerability in the AF_ALG cryptographic subsystem. The exploit manipulates the page cache via malformed AEAD operations to achieve root access.

This repository provides a detailed technical analysis of CVE-2026-31431, a Linux kernel vulnerability involving Page Cache isolation failure via the AF_ALG subsystem. It includes a Python script for validation and thorough documentation of the exploit mechanism.

The repository contains a functional exploit for CVE-2026-31431, a Linux kernel vulnerability in the Crypto API (AF_ALG) combined with the splice() system call, allowing local privilege escalation via page cache poisoning. It includes detailed technical analysis, PoC code for Ubuntu 18.04 and 22.04, and mitigation steps.

This repository contains a functional exploit for CVE-2026-31431, a Linux kernel local privilege escalation (LPE) vulnerability in the `algif_aead` cryptographic module. The exploit manipulates the page cache of `/etc/passwd` to escalate privileges from a non-root user to root.

This repository contains a functional exploit for CVE-2026-31431, a Linux kernel vulnerability in the `algif_aead` / `authencesn` AEAD implementation. The exploit demonstrates local privilege escalation by corrupting the page cache to inject shellcode into `/usr/bin/su`.

The repository contains a functional Python-based Proof of Concept (PoC) for CVE-2026-31431, a Linux kernel local privilege escalation vulnerability in the AF_ALG/algif_aead cryptographic interface. The PoC exploits the vulnerability to overwrite the /usr/bin/su binary, achieving privilege escalation.

This repository contains a functional mitigation script for CVE-2026-31431, an unprivileged Linux LPE via xfrm ESP-in-UDP MSG_SPLICE_PAGES. The script applies sysctl and modprobe mitigations to block the exploit path.

This repository contains a functional C++ implementation of CVE-2026-31431, a local privilege escalation vulnerability leveraging AF_ALG and splice() to corrupt the page cache of /usr/bin/su, enabling root access. The exploit is self-contained, statically compiled, and includes a zlib-compressed payload for overwriting the target binary.

The exploit leverages a vulnerability in the Linux AF_ALG socket interface to achieve local privilege escalation (LPE) by manipulating the 'authencesn' algorithm and decompressing a crafted payload. It attempts to execute 'su' to gain root access.

This repository contains a Python script that checks for the presence of CVE-2026-31431, a Linux kernel local privilege escalation vulnerability in the `algif_aead` page-cache write mechanism. It does not exploit the vulnerability but validates system susceptibility by testing AF_ALG socket operations and target file existence.

This repository contains a functional mitigation script for CVE-2026-31431, which prevents the loading of the vulnerable 'algif_aead' kernel module on Debian/Ubuntu-based systems. The script creates a modprobe configuration file to blacklist the module and unloads it if already loaded.

This repository contains a functional exploit for CVE-2026-31431, leveraging a Linux kernel vulnerability in the crypto subsystem. The exploit uses splice() to deliver page-cache references of read-only files (e.g., setuid binaries) to crypto TX scatterlists, enabling arbitrary code execution via a crafted payload.

This repository contains a functional local privilege escalation exploit for CVE-2026-31431, targeting a vulnerability in the Linux kernel's AF_ALG cryptographic subsystem combined with the splice() system call. The exploit modifies the page cache of SUID binaries or /etc/passwd to achieve root access.

This repository contains a functional local privilege escalation (LPE) exploit for CVE-2026-31431, targeting a vulnerability in the Linux kernel's AF_ALG socket implementation. It also includes mitigation tools to temporarily block the vulnerable module.

DIRTYFAIL is a unified detector and PoC harness for the Copy Fail and Dirty Frag Linux page-cache write vulnerability families. It includes functional exploit code for CVE-2026-31431, CVE-2026-43284, and CVE-2026-43500, demonstrating the vulnerabilities by modifying the kernel's in-memory copy of files.

This repository contains a functional exploit PoC for CVE-2026-31431, demonstrating a runtime integrity guard that detects and blocks Linux page cache tampering attacks. It includes scripts to trigger and verify the vulnerability, as well as a detailed technical explanation of the attack mechanism.

This repository contains a functional exploit for CVE-2026-31431, a local privilege escalation vulnerability in the Linux kernel's AF_ALG subsystem. The exploit leverages a page-cache corruption primitive to achieve privilege escalation, with compatibility for Python 3.7+ and tested on Astra Linux.

This repository contains a functional exploit for CVE-2026-31431, leveraging a vulnerability in the Linux kernel's AF_ALG socket implementation to achieve local privilege escalation. The exploit uses crafted socket operations to inject and execute shellcode, with architecture-specific payloads for AMD64 and AArch64.

This repository contains a functional exploit for CVE-2026-31431, leveraging a vulnerability in the Linux kernel's AF_ALG socket interface to achieve local privilege escalation (LPE). The exploit uses crafted AEAD operations to manipulate kernel memory and execute a payload that spawns a root shell.

This PoC exploits a Linux kernel vulnerability (CVE-2026-31431) by corrupting the /usr/bin/su binary via splice() and AF_ALG socket operations, bypassing VFS write permissions to achieve local privilege escalation (LPE). The exploit overwrites the binary with a payload that spawns a root shell when executed.

This repository provides a diagnostic and mitigation script for CVE-2026-31431, focusing on detecting and patching a vulnerability in the Linux kernel's AF_ALG AEAD module. It includes checks for kernel configuration, module status, and vulnerability exposure but does not contain exploit code.

This repository contains a functional Python implementation of the CopyFail2 kernel exploit (CVE-2026-31431), which leverages a vulnerability in the xfrm ESP-in-UDP MSG_SPLICE_PAGES path to achieve unprivileged local privilege escalation on Linux kernels >= 6.5. The exploit overwrites /etc/passwd to create a passwordless root user.

This repository contains a Python implementation of the CopyFail2 exploit (CVE-2026-31431), which leverages a kernel vulnerability in the xfrm ESP-in-UDP splice path to achieve local privilege escalation. The exploit overwrites a nologin/false entry in /etc/passwd with a passwordless root user and drops into a root shell via su.

This repository contains a functional exploit for CVE-2026-31431, a Linux kernel privilege escalation vulnerability in the cryptographic subsystem. The exploit leverages a logic bug in the authencesn algorithm to corrupt the page cache of setuid binaries, allowing unprivileged users to gain root access.