feat: add CVE-2026-31431 copy-fail privilege escalation exploit#130
Merged
Conversation
…tests Agent-Logs-Url: https://github.com/cdk-team/CDK/sessions/b45e6530-86b8-4285-923b-168cc69d0249 Co-authored-by: neargle <7868679+neargle@users.noreply.github.com>
Agent-Logs-Url: https://github.com/cdk-team/CDK/sessions/b45e6530-86b8-4285-923b-168cc69d0249 Co-authored-by: neargle <7868679+neargle@users.noreply.github.com>
Copilot created this pull request from a session on behalf of
neargle
April 30, 2026 03:46
View session
…uivalents syscall.SYS_SETSOCKOPT and syscall.SYS_ACCEPT are not defined on all Linux architectures (e.g. arm64). Switch to unix.Syscall6/unix.SYS_SETSOCKOPT and unix.Accept which are provided by golang.org/x/sys/unix and work consistently across all supported platforms. Fixes the build failure reported in CI job 73707270282.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Ports the copy-fail CVE-2026-31431 PoC into CDK as a native Go plugin under
privilege-escalation.Exploit mechanism
Abuses a kernel bug in the AF_ALG AEAD socket + splice/pipe interaction. By issuing
sendmsg(MSG_MORE)with attacker-controlled data and then splicing read-only file pages into the same socket's pipe buffers, the kernel writes the attacker data back into those page-cache pages — without touching the on-disk file (stealthy). A compressed 160-byte ELF64 shellcode blob (setuid(0)+execve("/bin/sh")) is injected into a SUID binary's page cache, then the binary is executed to obtain a root shell.New files
pkg/exploit/privilege_escalation/copy_fail_cve_2026_31431.gocopyFailDecompressPayload()— decompresses the embedded zlib/ELF64 shellcode payloadbuildAlgCmsg()— buildscmsghdrcontrol-message records portably viasyscall.CmsgLen/CmsgSpacecopyFailWriteChunk(fd, offset, chunk)— core primitive: AF_ALG socket setup →sendmsg(MSG_MORE)→splice(file→pipe→ALG)→ drain recv; repeats for each 4-byte chunkCopyFailExploit(targetBin)— orchestrates chunk writes then execs the target with inherited stdiocopy-fail-cve-2026-31431(privilege-escalation)pkg/exploit/privilege_escalation/copy_fail_cve_2026_31431_test.gobuildAlgCmsgstructure (alignment, header fields, data placement), and plugin registrationUsage