Back to Feed
Unprivileged Linux LPE via xfrm ESP-in-UDP MSG_SPLICE_PAGES no-COW fast path. Page-cache write into any readable file. Overwrites a nologin line in /etc/passwd with sick::0:0:...:/:/bin/bash and su s into it. Same class as Copy Fail (CVE-2026-31431), different subsystem. sudo apt install -y libssl-dev gcc gcc -O2 -Wall copyfail2.c -o copyfail2 -lcrypto gcc -O2 -Wall aa-rootns.c -o aa-rootns ./run.sh # install + drop into root shell ./run.sh --clean # revert /etc/passwd via the same primitive Adds passwordless uid-0 user sick to /etc/passwd , then exec su - sick . PAM nullok accepts the empty password silently — no input needed. The sick line stays in /etc/passwd — re-run drops straight back into root. State for --clean is stashed at /var/tmp/.cf2.state . No sudo. esp4 / xfrm_user / xfrm_algo autoload via the userns netlink path. Same bug exists in esp6_input and is not covered by the v4 fix f4c50a4034 . PoC in ipv6/ : ipv6/run.sh and ipv6/copyfail2v6.c . Uses ::1 loopback and ip -6 xfrm . ESP packet padded to >= 40 bytes to clear the xfrm6_input.c:124 size gate. Hyunwoo Kim (imv4bel) and Kuan-Ting Chen reported, tested, authored the upstream fix. Steffen Klassert: IPsec maintainer, posted the fix to netdev/net.git. Brad Spengler (@spendergrsec / grsecurity): called it copyfail-class before anyone else read the commit. Theori / Xint: original Copy Fail (CVE-2026-31431).