diemoeve

diemoeve / copyfail-rs

Public

CopyFail (CVE-2026-31431): Linux kernel page-cache PrivEsc PoC + the only public detection tool. Novel PAM auth-bypass vector + Sigma/auditd/eBPF rules.

af-alg auditd copyfail cve-2026-31431 detection-engineering
10
2
69% credibility
Found May 06, 2026 at 10 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
Rust
AI Summary

copyfail-rs is a single-file program that tests a Linux kernel vulnerability (CopyFail, CVE-2026-31431) by demonstrating privilege escalation and provides detection tools to identify affected systems or post-exploit tampering.

How It Works

1
📰 Discover Linux security news

You hear about a sneaky flaw in Linux that could let regular users take full control of the computer.

2
📥 Grab the tiny checker tool

Download the small, ready-to-use program for your computer's type—no setup or extras needed.

3
🛡️ Check if your system is at risk

Run the tool to quickly scan and learn if your Linux machine has the weakness or is already protected.

4
📊 See your security status

Get a clear report showing vulnerable, safe, or fixed, so you know exactly where you stand.

5
Protect or inspect further
🛡️
Apply quick protection

Follow easy steps to shut down the weakness and make your system secure.

🔍
Scan for changes

Look closely at important files to spot if anything sneaky has been altered in memory.

Feel secure and in control

Your Linux system is now verified clean, protected from the flaw, and ready for safe use.

Sign up to see the full architecture

4 more

Sign Up Free

Star Growth

See how this repo grew from 10 to 10 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is copyfail-rs?

copyfail-rs is a Rust tool for CVE-2026-31431 (CopyFail), delivering a Linux kernel page-cache priv-esc PoC with novel PAM auth-bypass, su, and passwd vectors that spawn root shells in one command. It pairs this with the only public detection suite spotting cache-vs-disk diffs that blind FIM tools like AIDE, via CLI modes like `--mode detect --scan` or `--check`. Static musl binaries (~100KB) drop anywhere, no deps needed.

Why is it gaining traction?

Unlike Python/C/Go rivals limited to su vectors and zero detection, copyfail-rs adds PAM auth-bypass stealth, full IR rules (Sigma, auditd, eBPF, AppArmor), and UX like `--hunt` for SSH fleet sweeps or `--watch` daemon. Pre-built binaries for x86_64/aarch64/armv7 mean instant testing; JSON output feeds SIEMs directly.

Who should use this?

Red teamers exploiting or validating CopyFail on Ubuntu/RHEL distros, defenders hunting page-cache tampering post-breach, kernel engineers auditing unpatched 4.14+ systems pre-mainline fix.

Verdict

Grab for targeted PoC/detection at 10 stars—docs shine, binaries verify easily—but low 0.7% credibility score flags early maturity; pair with `--check` and modprobe blacklists until distros patch.

(187 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.