cve-2026-31431-check is a small Bash triage script for checking local Linux exposure and mitigation indicators for CVE-2026-31431, also known as "Copy Fail."
The script targets Debian, Ubuntu, and Debian-family derivatives (including Linux Mint, Pop!_OS, and similar dpkg/APT-based systems). It exits with code 3 on non-Debian-family hosts or without dpkg-query. It does not rely on kernel version alone, because vendor backports and mitigation packages can make version-only checks misleading.
In containers, chroots, or environments where /proc boot time, module state, or /var/lib/dpkg does not reflect the real host, reboot and package timestamps may be misleading—treat those signals accordingly.
The script reports:
- running OS, kernel,
kmod, and kernel package details - whether
algif_aeadis loaded, built in, loadable, blocked, or absent - whether the running kernel package changelog references the CVE or relevant fix
- whether the system has rebooted since the running kernel package was last installed or upgraded (compared to last boot time), so disk-side changelog evidence is not treated as “clean” while an older kernel may still be running
This script does not determine whether a host was previously exploited.
It checks current local exposure indicators and whether the booted kernel is consistent with the installed running-kernel package timestamps and mitigation state. If the running kernel package changelog references the fix but the host has not rebooted since that package was installed, the script treats that as action required (exit code 1): the in-memory kernel may still predate the on-disk fix until you reboot into the installed image.
chmod +x cve-2026-31431-check
./cve-2026-31431-checkShow help:
./cve-2026-31431-check --helpShow version:
./cve-2026-31431-check --version| Code | Meaning |
|---|---|
| 0 | Patched, mitigated, or likely not exposed based on local checks |
| 1 | Vulnerable or exposed indicator found, or reboot required after a fix is present on disk |
| 2 | Unknown; manual review needed |
| 3 | Script error, unsupported OS (non-Debian-family), or missing dpkg-query |
GPL-3.0-only