CVE-2026-31431

This repository contains a functional exploit for CVE-2026-31431, a Linux kernel vulnerability in the AF_ALG AEAD interface that allows unprivileged users to write arbitrary data to the page cache of readable files, bypassing file permissions and integrity checks. The exploit demonstrates local privilege escalation by modifying /etc/passwd to remove the root password.

This repository contains a functional C-based exploit for CVE-2026-31431, a Linux kernel privilege escalation vulnerability in the AF_ALG interface. The exploit manipulates kernel memory via splice system calls to overwrite /bin/su with a malicious payload, granting root access.

This repository provides two eBPF programs to mitigate CVE-2026-31431, a local privilege escalation vulnerability involving AF_ALG socket creation. The programs either filter or kill processes attempting to exploit the vulnerability, depending on kernel support for eBPF LSM.

This repository contains a Go implementation of CVE-2026-31431, a Linux local privilege escalation (LPE) exploit targeting a vulnerability in the AF_ALG cryptographic socket interface. The exploit leverages a logic flaw to overwrite page cache contents, allowing arbitrary file modification and privilege escalation.

This repository provides a detection toolkit for CVE-2026-31431, a Linux kernel local privilege escalation vulnerability. It includes tools for checking vulnerability exposure, detecting exploitation via auditd, eBPF, and page-cache comparison, and mitigating the risk.

This repository contains a functional exploit PoC for CVE-2026-31431 (CopyFail), which allows unprivileged users to mutate files in the Linux page cache. It includes multiple exploit vectors (su, passwd, pam) and detection tools to identify tampering.

This repository provides a detailed technical analysis and mitigation strategies for CVE-2026-31431, a local privilege escalation vulnerability in the AF_ALG `authencesn` page-cache primitive. It includes a defense-in-depth approach with an LD_PRELOAD shim and a host auditor, but does not contain functional exploit code.

This repository contains a BPF-LSM mitigation for CVE-2026-31431, a privilege escalation vulnerability in the Linux kernel crypto API (AF_ALG). The PoC blocks AF_ALG socket creation via a BPF program attached to the socket_create hook, preventing exploitation of the vulnerability.

This repository contains a functional exploit for CVE-2026-31431, demonstrating a cache poisoning vulnerability in the Linux kernel's AF_ALG socket interface. The exploit patches arbitrary files by manipulating the kernel's crypto API through crafted socket operations.

The exploit leverages a Linux kernel vulnerability (CVE-2026-31431) to achieve local privilege escalation by manipulating socket options and splicing file descriptors. It overwrites the `/usr/bin/su` binary with a malicious payload, then executes it to gain root access.

This repository contains a functional Rust-based exploit for CVE-2026-31431, a local privilege escalation vulnerability in the Linux kernel's `algif_aead` module. The exploit leverages a logic flaw to overwrite page cache contents of setuid binaries, granting root access. It also includes a defensive eBPF-based tool to block the exploit.

This repository contains a functional exploit for CVE-2026-31431, a Linux kernel vulnerability in the AF_ALG crypto subsystem that allows a 4-byte arbitrary write in the page cache, leading to local privilege escalation (LPE). The exploit dynamically calculates ELF entry point offsets to overwrite SUID binaries with shellcode, making it universally applicable across different kernel and binary versions.

The repository claims to be an exploit for CVE-2026-31431 but lacks actual exploit code, instead promoting external downloads and additional features like payload encryption and multi-architecture support without technical details.

This repository contains a functional Rust-based exploit for CVE-2026-31431, a Linux kernel vulnerability in AF_ALG and splice() that allows local privilege escalation via arbitrary page cache writes. The exploit includes shellcode execution capabilities and supports custom payloads like Meterpreter.

This repository contains functional exploit code for CVE-2026-31431, a Linux local privilege escalation (LPE) vulnerability. The exploit leverages an AF_ALG/splice page-cache overwrite primitive to modify runtime views of privileged files (e.g., `su`, PAM configurations) to gain root access. The code includes multiple modes for patching, reverting, and helper binary creation.

The exploit leverages a Linux kernel vulnerability (CVE-2026-31431) to achieve local privilege escalation by manipulating socket options and splicing file descriptors. The PoC overwrites the `/usr/bin/su` binary with a malicious payload, then executes it to gain root access.

This repository contains a functional exploit for CVE-2026-31431, demonstrating a local privilege escalation (LPE) vulnerability. The exploit includes binaries for verification and execution, along with detailed steps for usage and mitigation.

The repository contains a functional exploit for CVE-2026-31431, a Linux kernel vulnerability that allows local privilege escalation by manipulating the page cache of files. The exploit leverages the `AF_ALG` interface and `splice()` to inject data into the page cache of a target file, enabling execution of modified content in memory.

The repository contains a functional exploit for CVE-2026-31431, a Linux kernel vulnerability in the `algif_aead` component that allows local privilege escalation via page-cache corruption. The exploit targets `/usr/bin/su` to gain root access.

This repository contains a functional Python exploit for CVE-2026-31431, a Linux kernel vulnerability in AF_ALG/algif_aead that allows page-cache corruption. The toolkit includes detection, mitigation verification, and weaponization paths for privilege escalation (setuid binary patching and /etc/passwd UID manipulation).

This repository contains a functional Python exploit for CVE-2026-31431, which leverages an AF_ALG kernel vulnerability to patch the 'su' binary in memory and escalate privileges. The exploit uses crafted socket operations and splice calls to modify executable memory.

This repository contains a Go-based PoC for CVE-2026-31431, a Linux kernel logic flaw in `authencesn` that enables a deterministic 4-byte write into page cache data via `AF_ALG` + `splice()`. The PoC is functional and includes build automation for multiple architectures.

This repository provides a detailed technical analysis and Ansible-based mitigation playbooks for CVE-2026-31431, a Linux kernel vulnerability in the `algif_aead` module. It includes audit and mitigation steps but does not contain functional exploit code.

This repository contains a functional exploit for CVE-2026-31431, adapted to work within a constrained Java environment. It leverages the AF_ALG socket interface to perform a page cache overwrite, achieving local privilege escalation (LPE) via a Java-based syscall layer and annotation processor trick.

This repository contains a functional local privilege escalation exploit for CVE-2026-31431, targeting a logic bug in the Linux kernel's `authencesn` cryptographic template. The exploit allows an unprivileged local user to perform a controlled 4-byte write into the page cache of any readable file, leading to full root compromise.

This repository contains a Go-based scanner for CVE-2026-31431, designed to detect vulnerability status across multiple Linux distributions. It checks kernel versions, module states, and changelogs without exploiting the vulnerability.

This repository provides a mitigation for CVE-2026-31431 using eBPF (block_alg.bpf.c) and a userspace component (block_alg.c). It includes a Makefile for compilation and a GPLv2 license, but no exploit code or detailed vulnerability analysis.

This repository contains a functional Rust-based exploit for CVE-2026-31431, leveraging a race condition between AF_ALG sockets and splice syscalls to corrupt page cache and overwrite SUID binaries like /bin/su for local privilege escalation.

This repository provides a mitigation script for CVE-2026-31431, a Linux kernel vulnerability in the cryptographic subsystem (algif_aead module). It includes technical details on the vulnerability and scripts to block the vulnerable module.

This repository contains a functional proof-of-concept exploit for CVE-2026-31431, a local privilege escalation vulnerability in the Linux kernel's AF_ALG cryptographic interface. The exploit leverages incorrect page cache handling during AEAD decryption to overwrite in-memory file content, granting an unprivileged user root access.

This repository contains a functional Rust implementation of the Copy Fail exploit (CVE-2026-31431), which chains AF_ALG and splice() syscalls to achieve a 4-byte page cache write, leading to local privilege escalation on vulnerable Linux kernels.

This repository contains a functional exploit for CVE-2026-31431, a Linux kernel vulnerability in the AF_ALG crypto subsystem. The exploit uses socket operations, splice(), and memory corruption to escalate privileges to root by injecting shellcode into the /usr/bin/su binary.

The exploit leverages a Linux kernel vulnerability (CVE-2026-31431) to achieve local privilege escalation by manipulating socket options and splicing file descriptors to overwrite the `/usr/bin/su` binary with a malicious payload. The payload is embedded as a compressed hex string and decompressed at runtime.

This repository contains a functional Go-based exploit for CVE-2026-31431, which leverages a memory corruption vulnerability in the Linux kernel's AF_ALG socket implementation to overwrite the `/usr/bin/su` binary with malicious shellcode, achieving local privilege escalation (LPE). The exploit demonstrates a reliable method to gain root access by corrupting page cache contents via crafted socket operations.

This repository provides a detailed technical analysis and mitigation script for CVE-2026-31431, a local privilege escalation vulnerability in the Linux Kernel affecting versions 4.10 to 6.18.x. The script includes blacklisting vulnerable kernel modules, flushing the Page Cache, and updating the kernel to a patched version.

This repository provides a detailed technical analysis and mitigation strategy for CVE-2026-31431, a Linux kernel vulnerability in the cryptographic API subsystem (AF_ALG) that allows local privilege escalation. It includes a DaemonSet for Yandex Managed Kubernetes to automatically block the vulnerable module.

This repository contains a functional exploit for CVE-2026-31431, leveraging a Linux kernel vulnerability in the AF_ALG socket interface. The exploit uses crafted messages and splice operations to achieve local privilege escalation (LPE) by manipulating kernel memory.

This repository contains a functional exploit for CVE-2026-31431, leveraging a vulnerability in the Linux kernel's AF_ALG socket implementation to achieve local privilege escalation (LPE). The exploit uses crafted messages and splice operations to trigger the vulnerability, ultimately executing `/usr/bin/su` to gain root access.

This repository contains a Go-based proof-of-concept exploit for CVE-2026-31431, targeting a Linux kernel vulnerability via the AF_ALG interface and splice(2) system calls. It includes static binaries for multiple architectures and embeds payloads for each target.

The repository contains a functional Python exploit for CVE-2026-31431, which appears to leverage a socket-based vulnerability to achieve local privilege escalation (LPE) by manipulating file descriptors and socket options. The exploit decompresses and writes a payload to `/usr/bin/su`, suggesting an attempt to overwrite or modify system binaries for privilege escalation.

This repository contains a cross-platform C exploit for CVE-2026-31431, with build workflows for multiple architectures using both glibc and musl. The exploit is statically linked and includes payload handling, indicating a functional proof-of-concept.

This repository contains a multi-OS vulnerability scanner for CVE-2026-31431 (Linux kernel crypto/algif_aead flaw) and CVE-2026-41940 (cPanel & WHM authentication bypass). It checks for vulnerable configurations, patch status, and mitigation measures without exploiting the vulnerabilities.

This repository contains a functional exploit for CVE-2026-31431, which leverages a splice-based arbitrary page-cache write vulnerability to achieve local privilege escalation by corrupting /usr/bin/su with shellcode.

This repository contains a functional Python-based Proof-of-Concept (PoC) for CVE-2026-31431, a Linux kernel local privilege escalation vulnerability. The exploit leverages the AF_ALG crypto API and splice() to corrupt the page cache of a setuid binary (e.g., /usr/bin/su), allowing unprivileged users to gain root access.

This repository provides an Ansible playbook for mitigating CVE-2026-31431 by disabling the vulnerable `algif_aead` kernel module on Debian/Ubuntu and RHEL-based systems. It includes detailed documentation, usage instructions, and verification steps but does not contain exploit code.

This repository contains a functional exploit for CVE-2026-31431, demonstrating a page-cache write vulnerability via AF_ALG+splice. It includes a canary test to verify vulnerability and a universal local privilege escalation (LPE) exploit that dynamically discovers and patches PAM functions in libpam to bypass authentication.

This repository contains a functional exploit for CVE-2026-31431, demonstrating a local privilege escalation (LPE) via arbitrary page-cache writes using AF_ALG and splice. The exploit dynamically discovers and patches PAM functions in libpam to bypass authentication checks.

This repository contains functional exploit code for CVE-2026-31431, a Linux kernel crypto subsystem vulnerability allowing local privilege escalation via AF_ALG and splice() manipulation. The PoC demonstrates a 4-byte write to the page cache of any readable file, leading to root access by corrupting a setuid binary.

This repository contains a functional BPF LSM-based mitigation for CVE-2026-31431, a Linux kernel privilege escalation vulnerability in the `authencesn` cryptographic template. The PoC blocks vulnerable AF_ALG socket binds using eBPF, compiled via Whistler (a Common Lisp eBPF compiler), and includes a test script to verify the blocker's functionality.

This repository provides a detailed technical analysis of CVE-2026-31431, a local privilege escalation vulnerability in the Linux kernel's cryptographic subsystem (AF_ALG and algif_aead module). It includes root cause analysis, affected systems, and remediation guidance but does not contain exploit code.

This repository contains a C-based Linux local privilege escalation exploit for CVE-2026-31431, leveraging AF_ALG, authencesn, and splice primitives to overwrite the page cache of /usr/bin/su with setuid shellcode for root access.

This repository contains a functional proof-of-concept exploit for CVE-2026-31431, demonstrating arbitrary code execution in a running process via page cache manipulation using the 'Copy Fail' technique. The exploit compiles a test binary, injects shellcode to replace a function, and verifies execution by comparing the process PID.

The repository claims to provide a local privilege escalation exploit for CVE-2026-31431 but contains no actual exploit code. It references external documents for technical details, mitigation, and detection, which are not included in the repository.

The repository contains a functional Python exploit for CVE-2026-31431, leveraging socket manipulation and file operations to achieve local privilege escalation (LPE) by overwriting the `/usr/bin/su` binary with a malicious payload.

The repository contains only a vague README with buzzwords like 'Hardened AF_ALG/splice page-cache mutation primitive' but no actual exploit code, technical details, or proof-of-concept. It appears to be a placeholder or lure.

This repository contains a functional Python exploit for CVE-2026-31431, targeting a Linux kernel vulnerability via page cache hijacking to inject data into /etc/passwd for privilege escalation. The exploit includes detection, exploitation, and cleanup phases, with a menu-driven interface.

The repository contains a functional Python-based exploit for CVE-2026-31431, demonstrating a local privilege escalation (LPE) vulnerability. The exploit manipulates socket options and file descriptors to achieve privilege escalation via the 'su' binary.

This repository contains a functional C-based PoC for CVE-2026-31431, exploiting a Linux kernel AF_ALG subsystem page cache poisoning vulnerability to achieve local privilege escalation (LPE) by corrupting SUID file contents. The code includes a shellcode payload to spawn a shell and demonstrates the exploit chain via AF_ALG socket manipulation and splice system calls.

The repository contains only a minimal README with a title and brief description of CVE-2026-31431, a Linux Kernel Local Privilege Escalation vulnerability, but no exploit code, technical details, or additional content.

This repository contains a functional script that automates the mitigation of CVE-2026-31431 by updating the kernel on AlmaLinux/CloudLinux systems and setting the patched version as default. The script handles package updates, repository management, and GRUB configuration.

The repository contains only a README.md file with no actual exploit code or technical details. It appears to be a placeholder or incomplete submission.

This repository provides mitigation guidance and configuration files for CVE-2026-31431, a Linux kernel vulnerability in the `algif_aead` module. It includes detailed technical analysis, mitigation steps, and detection rules for Deckhouse Kubernetes Platform.

This repository contains a functional Python port of the CVE-2026-31431 exploit, which corrupts the page cache of the setuid `su` binary to achieve local privilege escalation (LPE). The exploit uses `os.splice` to overwrite the page cache with shellcode, then executes the corrupted `su` binary to gain root privileges.

This repository provides an Ansible playbook to detect and mitigate CVE-2026-31431, a local privilege escalation vulnerability in the Linux kernel's `algif_aead` AF_ALG interface. The mitigation involves appending `initcall_blacklist=algif_aead_init` to the kernel command line to prevent exploitation.

This repository contains a functional exploit PoC for CVE-2026-31431, a Linux kernel AF_ALG AEAD use-after-free vulnerability. The code demonstrates the vulnerability by interacting with the AF_ALG interface and triggering the bug through crafted control messages.

This repository contains a Go-based exploit for CVE-2026-31431 (Copy.Fail), a Linux kernel vulnerability in the `algif_aead` crypto module. The exploit allows unprivileged users to gain root access by manipulating the page cache of SUID binaries without modifying the underlying files.

The repository contains functional exploit code for CVE-2026-31431, demonstrating a local privilege escalation (LPE) via a flaw in the Linux AF_ALG socket interface. Both C and Python versions are provided, leveraging improper handling of cryptographic operations to escalate privileges to root.

This repository provides per-distro mitigation scripts for CVE-2026-31431, a Linux kernel local privilege escalation vulnerability in the `algif_aead` module. It includes detailed technical analysis, patch status tracking, and scripts to blacklist the vulnerable module or install patched kernels.

This repository provides a Kubernetes DaemonSet to mitigate CVE-2026-31431, a local privilege escalation vulnerability in the Linux kernel's `algif_aead` module. It includes detailed documentation, YAML manifests for deployment, and a script to blacklist the vulnerable module and label nodes based on their mitigation status.

The repository contains a functional exploit for CVE-2026-31431, utilizing obfuscated Python code with ChaCha20 decryption to execute a payload. The exploit establishes a socket connection, sends crafted messages, and likely achieves remote code execution.

This repository contains a functional C exploit for CVE-2026-31431, leveraging the Linux kernel crypto API (AF_ALG) with AEAD mode, MSG_MORE flag, and splice system call to achieve privilege escalation by processing data from a read-only file descriptor.

This repository contains a functional exploit for CVE-2026-31431, targeting a vulnerability in the Linux kernel's AF_ALG socket implementation. The exploit uses crafted control messages and splice operations to achieve arbitrary code execution.

The repository contains a functional Python exploit for CVE-2026-31431, targeting a Linux kernel vulnerability involving page cache manipulation to achieve local privilege escalation (LPE). The exploit uses socket manipulation and file operations to overwrite the `/usr/bin/su` binary with a malicious payload.

This repository provides a detailed technical analysis and detection rules for CVE-2026-31431, a Linux kernel vulnerability in the 'authencesn' cryptographic template. It includes Wazuh rules and auditd configurations to detect the exploit chain, which involves a 4-byte write into the page cache of readable files.

This repository contains a functional exploit PoC for CVE-2026-31431, a Linux kernel vulnerability in the AF_ALG socket family that allows a page-cache write primitive. The script detects the vulnerability and optionally applies a mitigation by blacklisting the algif_aead module.

This repository contains a functional exploit for CVE-2026-31431, a Linux kernel local privilege escalation vulnerability in the AF_ALG/crypto API. The PoC patches /usr/bin/su in memory to execute arbitrary commands as root.

The repository contains a functional exploit for CVE-2026-31431, a 4-byte page-cache write primitive in the Linux kernel's `authencesn` AEAD template. The exploit leverages `AF_ALG` and `splice()` to achieve local privilege escalation or container escape by overwriting specific bytes in the page cache of readable files.

This repository contains a functional exploit for CVE-2026-31431, targeting a vulnerability in the Linux kernel's AF_ALG socket implementation. The exploit manipulates control messages and splicing operations to patch the `/usr/bin/su` binary, achieving local privilege escalation (LPE).

This repository contains a Python-based vulnerability detection script for CVE-2026-31431, a local privilege escalation flaw in the Linux kernel's AF_ALG crypto subsystem. The script checks for exploitable conditions but does not include exploit code.

This repository contains a functional Python PoC for CVE-2026-31431, which exploits a vulnerability in the Linux kernel's `AF_ALG` interface to manipulate the page cache of SUID binaries and achieve local privilege escalation. The script includes payloads for multiple architectures and performs runtime checks for compatibility.

This repository contains a functional exploit for CVE-2026-31431, which leverages a flaw in the Linux kernel's authencesn length validation to write dirty pages back to unauthorized locations, achieving privilege escalation by modifying /etc/passwd to remove the root password.

This repository provides a mitigation tool and technical analysis for CVE-2026-31431, a local privilege escalation vulnerability in the Linux kernel's `authencesn` cryptographic template. It includes a script to block `AF_ALG` socket creation via seccomp for Docker containers and Kubernetes pods, along with detailed technical background and mitigation steps.

This repository contains a functional proof-of-concept exploit for CVE-2026-31431, a Linux kernel vulnerability in the algif_aead module that allows local privilege escalation via a controlled 4-byte write into the page cache of any readable file. The exploit leverages the authencesn AEAD template to perform the write, targeting /etc/passwd to escalate privileges.

The repository claims to provide a mitigation for CVE-2026-31431 but lacks actual exploit code. It directs users to download and run an external Python script from a different GitHub repository, which is a common tactic for distributing malware or fake exploits.

This repository contains a Rust-based PoC exploit for CVE-2026-31431, leveraging the AF_ALG socket family and splice() system calls to overwrite read-only files in the page cache, specifically targeting the 'su' binary for privilege escalation. The exploit includes multi-architecture support and demonstrates a clear understanding of the vulnerability mechanics.

This repository contains a functional privilege escalation exploit for CVE-2026-31431, targeting a Linux kernel vulnerability in the authencesn AEAD implementation. The exploit manipulates the page cache to modify setuid binaries, granting root access, and includes detailed technical documentation and attack chain analysis for OpenShift environments.

The repository contains a Bash script to detect and mitigate CVE-2026-31431, a local privilege escalation vulnerability in the Linux kernel's `algif_aead` module. It checks for module presence, load status, and system patch state, and can apply a mitigation by blocking the module.

The repository contains functional exploit code for CVE-2026-31431, demonstrating a local privilege escalation (LPE) vulnerability. The exploit manipulates socket options and file descriptors to overwrite the `/usr/bin/su` binary, elevating privileges to root.

This repository contains a functional proof-of-concept exploit for CVE-2026-31431, a Linux kernel vulnerability affecting AF_ALG AEAD implementation. The exploit corrupts the in-memory .text section of setuid-root binaries (e.g., /usr/bin/su) to achieve local privilege escalation.

This repository provides functional bash scripts to mitigate CVE-2026-31431 by disabling the vulnerable 'algif_aead' kernel module via modprobe configuration and initramfs updates. It includes both patching and removal scripts with detailed logging and status checks.

The repository contains a functional exploit for CVE-2026-31431, a logic vulnerability in the Linux kernel's `authencesn` cryptographic template. The exploit leverages AF_ALG sockets and `splice()` to perform a controlled 4-byte write into the page cache of setuid binaries, enabling local privilege escalation to root.

This repository contains a functional Python 3.9-compatible PoC for CVE-2026-31431, a Linux kernel vulnerability in the AF_ALG interface allowing controlled 4-byte writes to the page cache. The exploit uses a ctypes-based splice polyfill and targets /usr/bin/su for privilege escalation.

The repository contains only an empty README.md file with no exploit code, technical details, or meaningful content. It appears to be a placeholder or stub repository.

This repository contains a functional local privilege escalation exploit for CVE-2026-31431, leveraging a Linux kernel vulnerability in the splice() system call to corrupt kernel memory and overwrite setuid binaries.

This repository contains a detection script for CVE-2026-31431, a Linux kernel local privilege escalation vulnerability. The script checks for vulnerable configurations, loaded modules, and mitigation status but does not include exploit code.

This repository provides a hardening script to mitigate CVE-2026-31431 by blocking AF_ALG kernel crypto interfaces. It includes a technical explanation of the mitigation approach and a functional script to disable vulnerable modules.

This repository provides a diagnostic toolkit for detecting and mitigating CVE-2026-31431, a local privilege escalation vulnerability in the Linux Kernel Crypto API (AF_ALG). It includes scripts to audit system security posture, disable AF_ALG modules, and restore them, but does not contain functional exploit code.

This repository contains a functional exploit for CVE-2026-31431, leveraging a Python ctypes wrapper for `os.splice` to achieve remote code execution (RCE) on systems running Python versions below 3.10. The exploit uses socket manipulation and file descriptor splicing to execute arbitrary commands, specifically targeting `/usr/bin/su`.

This repository contains a functional exploit PoC for CVE-2026-31431, targeting a Linux kernel vulnerability in the AF_ALG interface (algif_aead). It includes Ansible playbooks and scripts to check for vulnerability, apply mitigation, and revert changes.

This repository contains a functional Rust implementation of CVE-2026-31431, a Linux kernel vulnerability allowing unprivileged users to write arbitrary data into the page cache of readable files via AF_ALG splice. The exploit includes multiple privilege escalation modes, such as modifying /etc/passwd or overwriting the su binary with shellcode.

This repository contains a Go-based hotfix for CVE-2026-31431, which mitigates a vulnerability by unloading the 'algif_aead' kernel module and preventing its reloading. The code checks for vulnerability status and applies the fix if root privileges are available.

The repository contains a Python script that checks for the presence of a vulnerable kernel module (algif_aead) by attempting to create a socket of type AF_ALG. It does not exploit the vulnerability but detects whether the system is vulnerable to CVE-2026-31431.

This repository contains a functional exploit for CVE-2026-31431, a local privilege escalation vulnerability in the Linux kernel's `algif_aead` subsystem. The exploit manipulates the kernel page cache to overwrite arbitrary bytes in world-readable files, specifically targeting `/etc/passwd` to escalate privileges to root.

This repository provides a detailed technical analysis and mitigation strategy for CVE-2026-31431, a local privilege escalation vulnerability in the Linux kernel's `algif_aead` / `authencesn` crypto subsystem. It includes a PAM module and standalone binary to apply seccomp filters, blocking the vulnerable `socket(AF_ALG, ...)` syscall.

This repository provides a mitigation technique for CVE-2026-31431 on RHEL systems by disabling the AEAD subsystem via kernel boot parameters. It explains how to modify GRUB configurations to prevent the exploit from functioning by making the AEAD socket unavailable.

This repository provides passive detection scripts and technical documentation for CVE-2026-31431, a Linux LPE and container-escape vulnerability. It includes tools to check for vulnerable kernel versions, module states, and configurations without executing exploit code.

This repository contains a functional exploit for CVE-2026-31431, demonstrating a privilege escalation vulnerability in a containerized environment. The exploit leverages a Python script fetched from an external URL to escalate from a non-root user (UID 1001) to root.

This repository provides a detailed technical analysis of CVE-2026-31431, a local privilege escalation vulnerability in the Linux kernel's `algif_aead` subsystem. It includes impact analysis, mitigation strategies, and test scripts to verify exploit prerequisites.

This repository provides a Bash script to detect and mitigate exposure to CVE-2026-31431 (Copy Fail) by checking kernel patch status, module availability, and applying a host-level mitigation via modprobe configuration. It does not contain exploit code but helps identify vulnerable systems.

The repository contains a functional exploit for CVE-2026-31431, a Linux kernel vulnerability in the `authencesn` cryptographic template that allows an unprivileged local user to perform a controlled 4-byte write into the page cache of any readable file, leading to local privilege escalation (LPE). The exploit is a 732-byte Python script that leverages `AF_ALG` sockets and `splice()` to corrupt the page cache of setuid binaries, achieving root access.

This repository provides a mitigation script and technical details for CVE-2026-31431, a Linux kernel local privilege escalation vulnerability in the AF_ALG crypto interface. It includes scripts to unload vulnerable kernel modules and block exploit paths, along with verification and revert steps.

The repository contains a functional Python exploit for CVE-2026-31431, a local privilege escalation vulnerability in the Linux kernel's cryptographic subsystem (algif_aead). The exploit leverages a controlled 4-byte write into the page cache of setuid binaries to achieve root access.

This repository contains a functional Rust-based PoC for CVE-2026-31431, a local privilege escalation (LPE) vulnerability. It exploits the Linux kernel's Crypto API and `splice` system call to manipulate the page cache, overwriting the UID field in `/etc/passwd` to escalate privileges.

This repository contains a functional local privilege escalation (LPE) exploit for CVE-2026-31431, a Linux kernel page cache pollution vulnerability in the `authencesn` AEAD algorithm. The exploit leverages `AF_ALG` and `splice()` system calls to write 4 bytes to arbitrary readable file page caches, enabling privilege escalation via setuid binaries like `/usr/bin/su`.

This repository contains a Python script that checks for the presence of the vulnerable `algif_aead` module in the Linux kernel, which is associated with CVE-2026-31431. The script does not exploit the vulnerability but passively detects whether the attack surface is reachable.

This repository contains an Ansible playbook that mitigates CVE-2026-31431 by disabling and unloading the vulnerable `algif_aead` kernel module. The playbook automates the remediation process for affected systems.

The repository contains a vague README with no technical details about CVE-2026-31431, instead describing a generic mitigation step without exploit code or vulnerability analysis.

This repository provides a Wazuh SCA policy and mitigation script for CVE-2026-31431, focusing on detecting exposure and verifying mitigation controls for the 'Copy Fail' vulnerability. It includes checks for kernel module states, mitigation file presence, and container hardening signals.

This repository contains a functional exploit for CVE-2026-31431, leveraging an AF_ALG-based page cache write primitive to achieve local privilege escalation by modifying /etc/passwd to remove the root password. The exploit is compatible with both Python 2 and 3.

The repository contains a PowerShell script designed to detect indicators of CVE-2026-31431 (Copy Fail) in WSL and Docker environments by checking for vulnerable kernel modules, AF_ALG sockets, and suspicious processes. It does not include exploit code but focuses on scanning for potential vulnerabilities.

This repository contains a Linux Kernel Module (LKM) that exploits CVE-2026-31431 by unregistering the vulnerable `algif_aead` implementation and optionally registering a fake implementation to prevent reloading. The exploit targets a flaw in the AF_ALG socket interface, likely leading to a denial-of-service or privilege escalation.

This repository contains a functional exploit for CVE-2026-31431, a local privilege escalation vulnerability. The exploit modifies the root password field in /etc/passwd via a 4-byte page-cache write, allowing passwordless root access via `su`.

This repository contains a functional Go-based exploit for CVE-2026-31431, targeting a Linux AF_ALG local privilege escalation vulnerability. The exploit leverages socket operations and splice to manipulate kernel memory, ultimately attempting to escalate privileges by executing '/usr/bin/su'.

This repository contains a fully functional exploit for CVE-2026-31431, a Linux kernel local privilege escalation (LPE) vulnerability. The exploit leverages a logic bug in the `authencesn` cryptographic template, chained with `AF_ALG` and `splice()`, to achieve a 4-byte page-cache write, enabling reliable privilege escalation.

This repository contains functional exploit code for CVE-2026-31431, a Linux local privilege escalation vulnerability in the `authencesn` logic via `AF_ALG` and `splice()`. It includes both the original PoC and an ARM64 variant, both of which attempt to overwrite `/usr/bin/su` to gain a root shell.

This repository provides a functional mitigation script for CVE-2026-31431 (Copy Fail vulnerability) by disabling the vulnerable `algif_aead` kernel module and attempting to evict the first page of `/usr/bin/su` from the page cache. The script includes clear instructions for application, verification, and reversion.

This repository contains a functional exploit PoC for CVE-2026-31431, targeting a Linux kernel vulnerability. The tool automates batch SSH login, vulnerability detection, and remediation (disabling `algif_aead` and kernel upgrades) across multiple hosts.

This repository contains a functional exploit for CVE-2026-31431, a Linux kernel vulnerability in the authencesn AEAD optimization that allows local privilege escalation to root via AF_ALG socket manipulation and splice() system calls. The exploit targets the page cache of setuid binaries like /usr/bin/su to achieve arbitrary write primitives.

The repository contains a functional exploit for CVE-2026-31431 targeting aarch64 and x86_64 architectures. The exploit leverages a socket-based attack to achieve local privilege escalation by overwriting the `/usr/bin/su` binary with a decompressed payload.

The PoC exploits a local privilege escalation vulnerability by manipulating socket options and sending crafted messages to achieve root access. It uses a combination of socket operations and file descriptor manipulation to overwrite the `/usr/bin/su` binary with a malicious payload.

This repository contains a functional local privilege escalation (LPE) exploit for CVE-2026-31431, leveraging the Linux AF_ALG socket interface and splice system calls to manipulate file descriptors and execute privileged commands. The exploit targets specific Linux kernel and Python versions, demonstrating a root shell via the 'su' binary.

This repository contains a C-based exploit for CVE-2026-31431, which leverages a vulnerability in the Linux kernel's AF_ALG socket implementation to overwrite read-only page cache entries, similar to DirtyPipe. The exploit targets `/usr/bin/su` to achieve local privilege escalation (LPE) by injecting a malicious ELF payload.

This repository contains a bash script to check for the presence of CVE-2026-31431 by verifying kernel versions, package updates, and AF_ALG socket accessibility. It also includes a mitigation script to disable AF_ALG modules if needed.

This repository provides defensive detection content for CVE-2026-31431, a Linux kernel local privilege escalation vulnerability in the `algif_aead` crypto interface. It includes Sigma rules, auditd configurations, a Falco rule for containers, and a triage playbook for SOC analysts and detection engineers.

The repository contains a functional exploit for CVE-2026-31431, which involves disabling the 'algif_aead' kernel module via modprobe configuration to prevent exploitation. The script checks for required commands, ensures root privileges, and applies a workaround to mitigate the vulnerability.

This repository contains functional exploit code for CVE-2026-31431, a use-after-free (UAF) vulnerability in the AF_ALG AEAD splice implementation in the Linux kernel. The exploit replaces the page cache of /usr/bin/su with a malicious ELF payload to achieve privilege escalation.

This repository contains a functional Rust exploit for CVE-2026-31431, leveraging a Linux kernel vulnerability in the AF_ALG socket interface combined with splice() to achieve local privilege escalation. The exploit targets /usr/bin/su and demonstrates a 732-byte payload to gain root access.