pcdoyle/copy-fail-cve-2026-31431

Fork 1

8 releases 11 tags

RSS feed

v0.202605.115 594f4a535d

v0.202605.115 Stable

effie released this 2026-05-03 23:20:13 +00:00 | 11 commits to main since this release

Changes

Fixed RHEL-based distro non-reboot mitigation, works on almost all now (8/9/10).
Added cvecheck mitigation kmod, a native C kernel module fallback for built-in algif_aead hosts where the eBPF kprobe stop-gap fails the verifier check unknown func bpf_override_return (kernels with CONFIG_FUNCTION_ERROR_INJECTION=y but CONFIG_BPF_KPROBE_OVERRIDE=n, e.g. RHEL/CentOS 8). Same primitive (kprobe at __x64_sys_socket + override_function_with_return), no BPF helper gate. Auto-loads on boot via /etc/modules-load.d/cvecheck-kmod.conf. Requires kernel-devel headers + gcc + make at install time. Verdict's remediation block now points at kmod install when kprobe is gated off.

Automatic Install

Auto-detects your arch, downloads the right binary into $(pwd), and verifies its SHA-256 against the published SHA256SUMS:

curl -fsSL https://copyfail.pcdoyle.dev/install.sh | sh

Always grabs the latest release. Exits non-zero on checksum mismatch and removes the bad file.

Manual Downloads

Binary	Target	When to grab
`cvecheck-linux-x86_64`	Linux x86-64 (Intel/AMD 64-bit)	Default for servers, desktops, laptops, most VMs/containers. Ubuntu/Debian/RHEL/Fedora/Rocky/Alma/Oracle/SUSE/Alpine/Arch on x86_64.
`cvecheck-linux-arm64`	Linux ARM 64-bit (aarch64)	AWS Graviton, Ampere Altra, Apple Silicon Linux VMs, Raspberry Pi 4/5 (64-bit OS), Oracle/Azure ARM instances.
`cvecheck-linux-x86`	Linux x86 32-bit (i386 / i686)	Legacy 32-bit hosts only. Old industrial boxes, ancient VMs. Skip unless you know you need it.

Pick the right one for your system (quick guide)

Run uname and check the output.

uname -m
# x86_64      -> cvecheck-linux-x86_64
# aarch64     -> cvecheck-linux-arm64
# i686 / i386 -> cvecheck-linux-x86

Verify manually

SHA256SUMS is published as a release asset alongside the binaries. Each
line is <sha256> <filename>.

# Download the binary you want plus the checksum file.
curl -LO https://git.pcdoyle.dev/pcdoyle/copy-fail-cve-2026-31431/releases/download/latest/cvecheck-linux-x86_64
curl -LO https://git.pcdoyle.dev/pcdoyle/copy-fail-cve-2026-31431/releases/download/latest/SHA256SUMS

# Verify (only checks files present in the current directory).
sha256sum --ignore-missing -c SHA256SUMS
# cvecheck-linux-x86_64: OK

Inline form (no SHA256SUMS download):

echo "<paste-hash-here> cvecheck-linux-x86_64" | sha256sum -c -

Run

chmod +x cvecheck-linux-x86_64
./cvecheck-linux-x86_64                    # pretty styled report
./cvecheck-linux-x86_64 --format=json | jq # SIEM/automation
./cvecheck-linux-x86_64 --quiet; echo $?   # exit code only
sudo ./cvecheck-linux-x86_64               # needed when /boot is root-only

Downloads

cvecheck-linux-arm64
37,894 downloads · 2026-05-03 23:19:34 +00:00 · 5 MiB
cvecheck-linux-x86
15,323 downloads · 2026-05-03 23:19:34 +00:00 · 4.8 MiB
cvecheck-linux-x86_64
1,784,092 downloads · 2026-05-03 23:19:34 +00:00 · 7 MiB
SHA256SUMS
1,231,445 downloads · 2026-05-03 23:19:34 +00:00 · 260 B