https://coldreboot.dev/tags/exploit/Recent content in Exploit on cold-rebootHugoenFri, 01 May 2026 00:00:00 +0900https://coldreboot.dev/posts/cve-2026-31431/Fri, 01 May 2026 00:00:00 +0900https://coldreboot.dev/posts/cve-2026-31431/<blockquote> <p>A study-while-writing post on a juicy Linux kernel bug. Corrections welcome via <a href="https://coldreboot.dev/about">email</a>.</p> </blockquote> <h2 id="tldr">TL;DR</h2> <ul> <li>CVE-2026-31431 (Copy Fail) is a logic bug in the Linux kernel&rsquo;s <code>algif_aead</code> (the AEAD interface of AF_ALG, the userspace kernel crypto API).</li> <li>An unprivileged local user can trigger a deterministic, controlled 4-byte write into the page cache of any readable file.</li> <li>Used against <code>/usr/bin/su</code> or similar setuid binaries, this gives root.</li> <li>The bug was introduced by an &ldquo;in-place optimization&rdquo; commit in 2017 — it sat there for around 8 years.</li> </ul> <hr> <h2 id="1-introduction">1. Introduction</h2> <p>On April 29, 2026, the Korean offensive security firm Theori and their research team Xint Code disclosed a vulnerability they nicknamed &ldquo;Copy Fail.&rdquo;</p>