Here is the PHP implementation of the Copy Fail Linux LPE (CVE-2026-31431), disclosed 2026-04-29 by Theori / Xint.
AF_ALG Memory Manipulator
This project is a low-level PHP implementation designed to interact with the Linux Kernel’s AF_ALG (Socket Interface for Algorithm API). By leveraging the Foreign Function Interface (FFI), it bypasses standard PHP abstractions to communicate directly with kernel-side cryptographic engines and manipulate file descriptors via the splice(2) system call.
How It Works
The utility operates by initializing a specialized AEAD (Authenticated Encryption with Associated Data) socket. It sets up a specific cryptographic context – authencesn(hmac(sha256),cbc(aes)) – and uses it as a bridge to move data between a target system binary and the kernel’s memory space.
Technical Flow
- Kernel Socket Binding: It creates an
AF_ALGsocket and binds it to the kernel’s crypto API. - Memory Splicing: It utilizes the
splicesystem call to move data between file descriptors (the target binary and the socket) without copying data to user space. - Payload Injection: A compressed, hex-encoded payload is decompressed and systematically “spliced” into the memory offset of the running process.
- Execution: Once the memory state has been altered, it attempts to trigger the target process (e.g.,
/usr/bin/su) to verify the state change.
PHP Requirements
Because this script performs raw system calls and manages C-style memory structures, it has strict environment requirements:
- FFI Extension: Must be installed and enabled.
- Configuration: In your
php.ini, you must setffi.enable=true(orffi.enable=cliif running from the terminal). - OS: Linux (specifically kernels with
CONFIG_CRYPTO_USER_API_AEADenabled).
Installation & Setup
- Check FFI: Verify that FFI is active on your system:
php -m | grep FFI - Permissions: Ensure the target binary path in the script matches your local environment (usually
/usr/bin/su). - Execution: Run the script with administrative rights:
phpCVE-2026-31431.php
