Re: Re: CVE-2026-31431: CopyFail: linux local privilege scalation

[cyber security <cs7778503 () gmail com>]

mostly every distro + it can lead to container + snap + flatpak
container escapes

On Fri, May 1, 2026 at 1:16 PM Justin Swartz
<justin.swartz () risingedge co za> wrote:
> On Fri, 2026-05-01 at 11:08 -0400, Reid Sutherland wrote:
> > Does anything load the vulnerable module by default or not?  If not,
> > this should be low-rated IMO.
>
> An unprivileged user requesting an AF_ALG socket will trigger the kernel
> module autoloader:
>
> $ su -l
> Password:
>
> # cat > /root/modprobe << "EOF"
> #!/bin/sh
> echo "$(date -u) modprobe $@" >> /tmp/modprobe.log
> exec /sbin/modprobe "$@"
> EOF
>
> # chmod 700 /root/modprobe
>
> # cat /proc/sys/kernel/modprobe
> /sbin/modprobe
>
> # echo "/root/modprobe" > /proc/sys/kernel/modprobe
> # cat /proc/sys/kernel/modprobe
> /root/modprobe
>
> # exit
>
> $ lsmod | grep aead | wc -l
> 0
>
> $ date -u && ./copy_fail_exp.py
> Fri 01 May 2026 16:08:24 UTC
>
> # cat /tmp/modprobe.log
> Fri May  1 16:08:24 UTC 2026 modprobe -q -- net-pf-38
> Fri May  1 16:08:24 UTC 2026 modprobe -q -- algif-aead
>
> # lsmod | grep aead
> algif_aead             16384  0
> af_alg                 36864  1 algif_aead
>
> # echo "/sbin/modprobe" > /proc/sys/kernel/modprobe
> # cat /proc/sys/kernel/modprobe
> /sbin/modprobe
>
> # exit