Skip to content

ForensicFoundry/cve-2026-31431-check

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 

Repository files navigation

cve-2026-31431-check

cve-2026-31431-check is a small Bash triage script for checking local Linux exposure and mitigation indicators for CVE-2026-31431, also known as "Copy Fail."

The script targets Debian, Ubuntu, and Debian-family derivatives (including Linux Mint, Pop!_OS, and similar dpkg/APT-based systems). It exits with code 3 on non-Debian-family hosts or without dpkg-query. It does not rely on kernel version alone, because vendor backports and mitigation packages can make version-only checks misleading.

In containers, chroots, or environments where /proc boot time, module state, or /var/lib/dpkg does not reflect the real host, reboot and package timestamps may be misleading—treat those signals accordingly.

What it checks

The script reports:

  • running OS, kernel, kmod, and kernel package details
  • whether algif_aead is loaded, built in, loadable, blocked, or absent
  • whether the running kernel package changelog references the CVE or relevant fix
  • whether the system has rebooted since the running kernel package was last installed or upgraded (compared to last boot time), so disk-side changelog evidence is not treated as “clean” while an older kernel may still be running

Important limitation

This script does not determine whether a host was previously exploited.

It checks current local exposure indicators and whether the booted kernel is consistent with the installed running-kernel package timestamps and mitigation state. If the running kernel package changelog references the fix but the host has not rebooted since that package was installed, the script treats that as action required (exit code 1): the in-memory kernel may still predate the on-disk fix until you reboot into the installed image.

Usage

chmod +x cve-2026-31431-check
./cve-2026-31431-check

Show help:

./cve-2026-31431-check --help

Show version:

./cve-2026-31431-check --version

Exit codes

Code Meaning
0 Patched, mitigated, or likely not exposed based on local checks
1 Vulnerable or exposed indicator found, or reboot required after a fix is present on disk
2 Unknown; manual review needed
3 Script error, unsupported OS (non-Debian-family), or missing dpkg-query

License

GPL-3.0-only

About

Check local Linux mitigation/exposure status for CVE-2026-31431 "Copy Fail"

Topics

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors

Languages