pcdoyle/copy-fail-cve-2026-31431
2
2
Fork 1
Code Issues Pull requests Releases 8 Activity Actions
8 releases 11 tags
  • v1.202605.011 0ea6d57e7c

    v1.202605.011 Stable

    pcdoyle released this 2026-05-05 04:22:47 +00:00 | 1 commits to main since this release

    Changes (Major Update v0 -> v1)

    • Regularized output so that all commands/switches allow for json output (--format json|text|pretty).
    • All commands now "pretty print" with lipgloss, previously only the main report printed pretty output.
    • Minor bug fixes, minor display fixes, added a --width option when pretty printing.
    • Lots of visual improvements, and output improvements.
    • kmod has better instructions on how to download the kernal headers and other required components (none require a reboot).
    • Increased tests for kprobe and kmod on RHEL-family installs (64-bit), all currently supported versions (8/9/10) of: RHEL/Rocky/Alma/Oracle/CentOS.
    • Tested on all currently supported Debian/Ubuntu versions.
    • Tested on VMware ESX 8/9 and vSphere 8/9 (none we tested were vulnerable)
    • Tested on Proxmox (modprobe works)
    • Tested on ArchLinux (most people would be on an unaffected kernel)
    • Tested on Linux Mint.

    Automatic Install

    Auto-detects your arch, downloads the right binary into $(pwd), and verifies its SHA-256 against the published SHA256SUMS:

    curl -fsSL https://copyfail.pcdoyle.dev/install.sh | sh

    Always grabs the latest release. Exits non-zero on checksum mismatch and removes the bad file.

    Manual Downloads

    Binary Target When to grab
    cvecheck-linux-x86_64 Linux x86-64 (Intel/AMD 64-bit) Default for servers, desktops, laptops, most VMs/containers. Ubuntu/Debian/RHEL/Fedora/Rocky/Alma/Oracle/SUSE/Alpine/Arch on x86_64.
    cvecheck-linux-arm64 Linux ARM 64-bit (aarch64) AWS Graviton, Ampere Altra, Apple Silicon Linux VMs, Raspberry Pi 4/5 (64-bit OS), Oracle/Azure ARM instances.
    cvecheck-linux-x86 Linux x86 32-bit (i386 / i686) Legacy 32-bit hosts only. Old industrial boxes, ancient VMs. Skip unless you know you need it.

    Pick the right one for your system (quick guide)

    Run uname and check the output.

    uname -m
# x86_64      -> cvecheck-linux-x86_64
# aarch64     -> cvecheck-linux-arm64
# i686 / i386 -> cvecheck-linux-x86

    Verify manually

    SHA256SUMS is published as a release asset alongside the binaries. Each
    line is <sha256> <filename>.

    # Download the binary you want plus the checksum file.
curl -LO https://git.pcdoyle.dev/pcdoyle/copy-fail-cve-2026-31431/releases/download/latest/cvecheck-linux-x86_64
curl -LO https://git.pcdoyle.dev/pcdoyle/copy-fail-cve-2026-31431/releases/download/latest/SHA256SUMS

# Verify (only checks files present in the current directory).
sha256sum --ignore-missing -c SHA256SUMS
# cvecheck-linux-x86_64: OK

    Inline form (no SHA256SUMS download):

    echo "<paste-hash-here> cvecheck-linux-x86_64" | sha256sum -c -

    Run

    chmod +x cvecheck-linux-x86_64
./cvecheck-linux-x86_64                    # pretty styled report
./cvecheck-linux-x86_64 --format=json | jq # SIEM/automation
./cvecheck-linux-x86_64 --quiet; echo $?   # exit code only
sudo ./cvecheck-linux-x86_64               # needed when /boot is root-only
    Downloads
  • v0.202605.117 bface665c2

    v0.202605.117 Stable

    pcdoyle released this 2026-05-04 21:59:23 +00:00 | 6 commits to main since this release

    Changes

    • Fixed bug that affected AlmaLinux 10, a kprobe preflight check was left in with the kmod preflight checks and AlmaLinux 10 failed when installing kmod when it didn't need to fail.

    Automatic Install

    Auto-detects your arch, downloads the right binary into $(pwd), and verifies its SHA-256 against the published SHA256SUMS:

    curl -fsSL https://copyfail.pcdoyle.dev/install.sh | sh

    Always grabs the latest release. Exits non-zero on checksum mismatch and removes the bad file.

    Manual Downloads

    Binary Target When to grab
    cvecheck-linux-x86_64 Linux x86-64 (Intel/AMD 64-bit) Default for servers, desktops, laptops, most VMs/containers. Ubuntu/Debian/RHEL/Fedora/Rocky/Alma/Oracle/SUSE/Alpine/Arch on x86_64.
    cvecheck-linux-arm64 Linux ARM 64-bit (aarch64) AWS Graviton, Ampere Altra, Apple Silicon Linux VMs, Raspberry Pi 4/5 (64-bit OS), Oracle/Azure ARM instances.
    cvecheck-linux-x86 Linux x86 32-bit (i386 / i686) Legacy 32-bit hosts only. Old industrial boxes, ancient VMs. Skip unless you know you need it.

    Changes

    • Fixed bug that affected AlmaLinux 10, a kprobe preflight check was left in with the kmod preflight checks and AlmaLinux 10 failed when installing kmod when it didn't need to fail.

    Verify manually

    SHA256SUMS is published as a release asset alongside the binaries. Each
    line is <sha256> <filename>.

    # Download the binary you want plus the checksum file.
curl -LO https://git.pcdoyle.dev/pcdoyle/copy-fail-cve-2026-31431/releases/download/latest/cvecheck-linux-x86_64
curl -LO https://git.pcdoyle.dev/pcdoyle/copy-fail-cve-2026-31431/releases/download/latest/SHA256SUMS

# Verify (only checks files present in the current directory).
sha256sum --ignore-missing -c SHA256SUMS
# cvecheck-linux-x86_64: OK

    Inline form (no SHA256SUMS download):

    echo "<paste-hash-here> cvecheck-linux-x86_64" | sha256sum -c -

    Run

    chmod +x cvecheck-linux-x86_64
./cvecheck-linux-x86_64                    # pretty styled report
./cvecheck-linux-x86_64 --format=json | jq # SIEM/automation
./cvecheck-linux-x86_64 --quiet; echo $?   # exit code only
sudo ./cvecheck-linux-x86_64               # needed when /boot is root-only
    Downloads
  • v0.202605.115 594f4a535d

    v0.202605.115 Stable

    effie released this 2026-05-03 23:20:13 +00:00 | 11 commits to main since this release

    Changes

    • Fixed RHEL-based distro non-reboot mitigation, works on almost all now (8/9/10).
    • Added cvecheck mitigation kmod, a native C kernel module fallback for built-in algif_aead hosts where the eBPF kprobe stop-gap fails the verifier check unknown func bpf_override_return (kernels with CONFIG_FUNCTION_ERROR_INJECTION=y but CONFIG_BPF_KPROBE_OVERRIDE=n, e.g. RHEL/CentOS 8). Same primitive (kprobe at __x64_sys_socket + override_function_with_return), no BPF helper gate. Auto-loads on boot via /etc/modules-load.d/cvecheck-kmod.conf. Requires kernel-devel headers + gcc + make at install time. Verdict's remediation block now points at kmod install when kprobe is gated off.

    Automatic Install

    Auto-detects your arch, downloads the right binary into $(pwd), and verifies its SHA-256 against the published SHA256SUMS:

    curl -fsSL https://copyfail.pcdoyle.dev/install.sh | sh

    Always grabs the latest release. Exits non-zero on checksum mismatch and removes the bad file.

    Manual Downloads

    Binary Target When to grab
    cvecheck-linux-x86_64 Linux x86-64 (Intel/AMD 64-bit) Default for servers, desktops, laptops, most VMs/containers. Ubuntu/Debian/RHEL/Fedora/Rocky/Alma/Oracle/SUSE/Alpine/Arch on x86_64.
    cvecheck-linux-arm64 Linux ARM 64-bit (aarch64) AWS Graviton, Ampere Altra, Apple Silicon Linux VMs, Raspberry Pi 4/5 (64-bit OS), Oracle/Azure ARM instances.
    cvecheck-linux-x86 Linux x86 32-bit (i386 / i686) Legacy 32-bit hosts only. Old industrial boxes, ancient VMs. Skip unless you know you need it.

    Pick the right one for your system (quick guide)

    Run uname and check the output.

    uname -m
# x86_64      -> cvecheck-linux-x86_64
# aarch64     -> cvecheck-linux-arm64
# i686 / i386 -> cvecheck-linux-x86

    Verify manually

    SHA256SUMS is published as a release asset alongside the binaries. Each
    line is <sha256> <filename>.

    # Download the binary you want plus the checksum file.
curl -LO https://git.pcdoyle.dev/pcdoyle/copy-fail-cve-2026-31431/releases/download/latest/cvecheck-linux-x86_64
curl -LO https://git.pcdoyle.dev/pcdoyle/copy-fail-cve-2026-31431/releases/download/latest/SHA256SUMS

# Verify (only checks files present in the current directory).
sha256sum --ignore-missing -c SHA256SUMS
# cvecheck-linux-x86_64: OK

    Inline form (no SHA256SUMS download):

    echo "<paste-hash-here> cvecheck-linux-x86_64" | sha256sum -c -

    Run

    chmod +x cvecheck-linux-x86_64
./cvecheck-linux-x86_64                    # pretty styled report
./cvecheck-linux-x86_64 --format=json | jq # SIEM/automation
./cvecheck-linux-x86_64 --quiet; echo $?   # exit code only
sudo ./cvecheck-linux-x86_64               # needed when /boot is root-only
    Downloads
  • v0.202605.107 76fd9b3718

    v0.202605.107 Stable

    effie released this 2026-05-01 21:35:20 +00:00 | 20 commits to main since this release

    Changes

    • Fixed RHEL-based distro non-reboot mitigation, works on almost all now (8/9/10).

    Automatic Install

    Auto-detects your arch, downloads the right binary into $(pwd), and verifies its SHA-256 against the published SHA256SUMS:

    curl -fsSL https://copyfail.pcdoyle.dev/install.sh | sh

    Always grabs the latest release. Exits non-zero on checksum mismatch and removes the bad file.

    Manual Downloads

    Binary Target When to grab
    cvecheck-linux-x86_64 Linux x86-64 (Intel/AMD 64-bit) Default for servers, desktops, laptops, most VMs/containers. Ubuntu/Debian/RHEL/Fedora/Rocky/Alma/Oracle/SUSE/Alpine/Arch on x86_64.
    cvecheck-linux-arm64 Linux ARM 64-bit (aarch64) AWS Graviton, Ampere Altra, Apple Silicon Linux VMs, Raspberry Pi 4/5 (64-bit OS), Oracle/Azure ARM instances.
    cvecheck-linux-x86 Linux x86 32-bit (i386 / i686) Legacy 32-bit hosts only. Old industrial boxes, ancient VMs. Skip unless you know you need it.

    Pick the right one for your system (quick guide)

    Run uname and check the output.

    uname -m
# x86_64      -> cvecheck-linux-x86_64
# aarch64     -> cvecheck-linux-arm64
# i686 / i386 -> cvecheck-linux-x86

    Verify manually

    SHA256SUMS is published as a release asset alongside the binaries. Each
    line is <sha256> <filename>.

    # Download the binary you want plus the checksum file.
curl -LO https://git.pcdoyle.dev/pcdoyle/copy-fail-cve-2026-31431/releases/download/latest/cvecheck-linux-x86_64
curl -LO https://git.pcdoyle.dev/pcdoyle/copy-fail-cve-2026-31431/releases/download/latest/SHA256SUMS

# Verify (only checks files present in the current directory).
sha256sum --ignore-missing -c SHA256SUMS
# cvecheck-linux-x86_64: OK

    Inline form (no SHA256SUMS download):

    echo "<paste-hash-here> cvecheck-linux-x86_64" | sha256sum -c -

    Run

    chmod +x cvecheck-linux-x86_64
./cvecheck-linux-x86_64                    # pretty styled report
./cvecheck-linux-x86_64 --format=json | jq # SIEM/automation
./cvecheck-linux-x86_64 --quiet; echo $?   # exit code only
sudo ./cvecheck-linux-x86_64               # needed when /boot is root-only
    Downloads
  • v0.202605.104 453ee1d34f

    v0.202605.104 Stable

    effie released this 2026-05-01 18:29:28 +00:00 | 24 commits to main since this release

    Added RHEL Official Mitigation

    Automatic Install

    Auto-detects your arch, downloads the right binary into $(pwd), and verifies its SHA-256 against the published SHA256SUMS:

    curl -fsSL https://copyfail.pcdoyle.dev/install.sh | sh

    Always grabs the latest release. Exits non-zero on checksum mismatch and removes the bad file.

    Manual Downloads

    Binary Target When to grab
    cvecheck-linux-x86_64 Linux x86-64 (Intel/AMD 64-bit) Default for servers, desktops, laptops, most VMs/containers. Ubuntu/Debian/RHEL/Fedora/Rocky/Alma/Oracle/SUSE/Alpine/Arch on x86_64.
    cvecheck-linux-arm64 Linux ARM 64-bit (aarch64) AWS Graviton, Ampere Altra, Apple Silicon Linux VMs, Raspberry Pi 4/5 (64-bit OS), Oracle/Azure ARM instances.
    cvecheck-linux-x86 Linux x86 32-bit (i386 / i686) Legacy 32-bit hosts only. Old industrial boxes, ancient VMs. Skip unless you know you need it.

    Pick the right one for your system (quick guide)

    Run uname and check the output.

    uname -m
# x86_64      -> cvecheck-linux-x86_64
# aarch64     -> cvecheck-linux-arm64
# i686 / i386 -> cvecheck-linux-x86

    Verify manually

    SHA256SUMS is published as a release asset alongside the binaries. Each
    line is <sha256> <filename>.

    # Download the binary you want plus the checksum file.
curl -LO https://git.pcdoyle.dev/pcdoyle/copy-fail-cve-2026-31431/releases/download/v0.202605.104/cvecheck-linux-arm64
curl -LO https://git.pcdoyle.dev/pcdoyle/copy-fail-cve-2026-31431/releases/download/v0.202605.104/SHA256SUMS

# Verify (only checks files present in the current directory).
sha256sum --ignore-missing -c SHA256SUMS
# cvecheck-linux-x86_64: OK

    Inline form (no SHA256SUMS download):

    echo "<paste-hash-here> cvecheck-linux-x86_64" | sha256sum -c -

    Run

    chmod +x cvecheck-linux-x86_64
./cvecheck-linux-x86_64                    # pretty styled report
./cvecheck-linux-x86_64 --format=json | jq # SIEM/automation
./cvecheck-linux-x86_64 --quiet; echo $?   # exit code only
sudo ./cvecheck-linux-x86_64               # needed when /boot is root-only
    Downloads
  • v0.202605.015 1f94045132

    v0.202605.015 Stable

    effie released this 2026-05-01 17:58:43 +00:00 | 25 commits to main since this release

    Automatic Install

    Auto-detects your arch, downloads the right binary into $(pwd), and verifies its SHA-256 against the published SHA256SUMS:

    curl -fsSL https://copyfail.pcdoyle.dev/install.sh | sh

    Always grabs the latest release. Exits non-zero on checksum mismatch and removes the bad file.

    Manual Downloads

    Binary Target When to grab
    cvecheck-linux-x86_64 Linux x86-64 (Intel/AMD 64-bit) Default for servers, desktops, laptops, most VMs/containers. Ubuntu/Debian/RHEL/Fedora/Rocky/Alma/Oracle/SUSE/Alpine/Arch on x86_64.
    cvecheck-linux-arm64 Linux ARM 64-bit (aarch64) AWS Graviton, Ampere Altra, Apple Silicon Linux VMs, Raspberry Pi 4/5 (64-bit OS), Oracle/Azure ARM instances.
    cvecheck-linux-x86 Linux x86 32-bit (i386 / i686) Legacy 32-bit hosts only. Old industrial boxes, ancient VMs. Skip unless you know you need it.

    Pick the right one for your system (quick guide)

    Run uname and check the output.

    uname -m
# x86_64      -> cvecheck-linux-x86_64
# aarch64     -> cvecheck-linux-arm64
# i686 / i386 -> cvecheck-linux-x86

    Verify manually

    SHA256SUMS is published as a release asset alongside the binaries. Each
    line is <sha256> <filename>.

    # Download the binary you want plus the checksum file.
curl -LO https://git.pcdoyle.dev/pcdoyle/copy-fail-cve-2026-31431/releases/download/v0.202605.015/cvecheck-linux-arm64
curl -LO https://git.pcdoyle.dev/pcdoyle/copy-fail-cve-2026-31431/releases/download/v0.202605.015/SHA256SUMS

# Verify (only checks files present in the current directory).
sha256sum --ignore-missing -c SHA256SUMS
# cvecheck-linux-x86_64: OK

    Inline form (no SHA256SUMS download):

    echo "<paste-hash-here> cvecheck-linux-x86_64" | sha256sum -c -

    Run

    chmod +x cvecheck-linux-x86_64
./cvecheck-linux-x86_64                    # pretty styled report
./cvecheck-linux-x86_64 --format=json | jq # SIEM/automation
./cvecheck-linux-x86_64 --quiet; echo $?   # exit code only
sudo ./cvecheck-linux-x86_64               # needed when /boot is root-only
    Downloads
  • v0.202605.014 def1a5c7c6

    Prod Ready (v0.202605.014) Stable

    effie released this 2026-05-01 17:08:58 +00:00 | 31 commits to main since this release

    Automatic Install

    Auto-detects your arch, downloads the right binary into $(pwd), and verifies its SHA-256 against the published SHA256SUMS:

    curl -fsSL https://copyfail.pcdoyle.dev/install.sh | sh

    Always grabs the latest release. Exits non-zero on checksum mismatch and removes the bad file.

    Manual Downloads

    Binary Target When to grab
    cvecheck-linux-x86_64 Linux x86-64 (Intel/AMD 64-bit) Default for servers, desktops, laptops, most VMs/containers. Ubuntu/Debian/RHEL/Fedora/Rocky/Alma/Oracle/SUSE/Alpine/Arch on x86_64.
    cvecheck-linux-arm64 Linux ARM 64-bit (aarch64) AWS Graviton, Ampere Altra, Apple Silicon Linux VMs, Raspberry Pi 4/5 (64-bit OS), Oracle/Azure ARM instances.
    cvecheck-linux-x86 Linux x86 32-bit (i386 / i686) Legacy 32-bit hosts only. Old industrial boxes, ancient VMs. Skip unless you know you need it.

    Pick the right one for your system (quick guide)

    Run uname and check the output.

    uname -m
# x86_64      -> cvecheck-linux-x86_64
# aarch64     -> cvecheck-linux-arm64
# i686 / i386 -> cvecheck-linux-x86

    Verify manually

    SHA256SUMS is published as a release asset alongside the binaries. Each
    line is <sha256> <filename>.

    # Download the binary you want plus the checksum file.
curl -LO https://git.pcdoyle.dev/pcdoyle/copy-fail-cve-2026-31431/releases/download/v0.202605.014/cvecheck-linux-arm64
curl -LO https://git.pcdoyle.dev/pcdoyle/copy-fail-cve-2026-31431/releases/download/v0.202605.014/SHA256SUMS

# Verify (only checks files present in the current directory).
sha256sum --ignore-missing -c SHA256SUMS
# cvecheck-linux-x86_64: OK

    Inline form (no SHA256SUMS download):

    echo "<paste-hash-here> cvecheck-linux-x86_64" | sha256sum -c -

    Run

    chmod +x cvecheck-linux-x86_64
./cvecheck-linux-x86_64                    # pretty styled report
./cvecheck-linux-x86_64 --format=json | jq # SIEM/automation
./cvecheck-linux-x86_64 --quiet; echo $?   # exit code only
sudo ./cvecheck-linux-x86_64               # needed when /boot is root-only
    Downloads
  • v0.202604.031 5add69fadc

    Initial Release (v0.202604.031) Pre-release

    pcdoyle released this 2026-04-30 13:49:43 +00:00 | 38 commits to main since this release

    Automatic Install

    Auto-detects your arch, downloads the right binary into $(pwd), and verifies its SHA-256 against the published SHA256SUMS:

    curl -fsSL https://copyfail.pcdoyle.dev/install.sh | sh

    Always grabs the latest release. Exits non-zero on checksum mismatch and removes the bad file.

    Manual Downloads

    Binary Target When to grab
    cvecheck-linux-x86_64 Linux x86-64 (Intel/AMD 64-bit) Default for servers, desktops, laptops, most VMs/containers. Ubuntu/Debian/RHEL/Fedora/Rocky/Alma/Oracle/SUSE/Alpine/Arch on x86_64.
    cvecheck-linux-arm64 Linux ARM 64-bit (aarch64) AWS Graviton, Ampere Altra, Apple Silicon Linux VMs, Raspberry Pi 4/5 (64-bit OS), Oracle/Azure ARM instances.
    cvecheck-linux-x86 Linux x86 32-bit (i386 / i686) Legacy 32-bit hosts only. Old industrial boxes, ancient VMs. Skip unless you know you need it.

    Pick the right one for your system (quick guide)

    Run uname and check the output.

    uname -m
# x86_64      -> cvecheck-linux-x86_64
# aarch64     -> cvecheck-linux-arm64
# i686 / i386 -> cvecheck-linux-x86

    Verify manually

    SHA256SUMS is published as a release asset alongside the binaries. Each
    line is <sha256> <filename>.

    # Download the binary you want plus the checksum file.
curl -LO https://github.com/pcdoyle/copy-fail-cve-2026-31431/releases/latest/download/cvecheck-linux-x86_64
curl -LO https://github.com/pcdoyle/copy-fail-cve-2026-31431/releases/latest/download/SHA256SUMS

# Verify (only checks files present in the current directory).
sha256sum --ignore-missing -c SHA256SUMS
# cvecheck-linux-x86_64: OK

    Inline form (no SHA256SUMS download):

    echo "<paste-hash-here> cvecheck-linux-x86_64" | sha256sum -c -

    Run

    chmod +x cvecheck-linux-x86_64
./cvecheck-linux-x86_64                    # pretty styled report
./cvecheck-linux-x86_64 --format=json | jq # SIEM/automation
./cvecheck-linux-x86_64 --quiet; echo $?   # exit code only
sudo ./cvecheck-linux-x86_64               # needed when /boot is root-only
    Downloads