[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-11374":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":16,"stars7d":16,"stars30d":17,"stars90d":15,"forks30d":15,"starsTrendScore":18,"compositeScore":19,"rankGlobal":9,"rankLanguage":9,"license":9,"archived":20,"fork":20,"defaultBranch":21,"hasWiki":22,"hasPages":20,"topics":23,"createdAt":9,"pushedAt":9,"updatedAt":24,"readmeContent":25,"aiSummary":26,"trendingCount":15,"starSnapshotCount":15,"syncStatus":16,"lastSyncTime":27,"discoverSource":28},11374,"Copy_Fail2-Electric_Boogaloo","0xdeadbeefnetwork\u002FCopy_Fail2-Electric_Boogaloo","0xdeadbeefnetwork","Copy Fail 2: Electric Boogaloo",null,"C",323,33,11,1,0,2,29,6,4.59,false,"main",true,[],"2026-06-12 02:02:31","# Copy Fail 2: Electric Boogaloo\n\nUnprivileged Linux LPE via xfrm ESP-in-UDP MSG_SPLICE_PAGES no-COW fast\npath. Page-cache write into any readable file. Overwrites a nologin\nline in `\u002Fetc\u002Fpasswd` with `sick::0:0:...:\u002F:\u002Fbin\u002Fbash` and `su`s into\nit. Same class as Copy Fail (CVE-2026-31431), different subsystem.\n\nBug: https:\u002F\u002Fgit.kernel.org\u002Fpub\u002Fscm\u002Flinux\u002Fkernel\u002Fgit\u002Fnetdev\u002Fnet.git\u002Fcommit\u002F?id=f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4\n\n## Build\n\n    sudo apt install -y libssl-dev gcc\n    gcc -O2 -Wall copyfail2.c -o copyfail2 -lcrypto\n    gcc -O2 -Wall aa-rootns.c -o aa-rootns\n\n## Run\n\n    .\u002Frun.sh           # install + drop into root shell\n    .\u002Frun.sh --clean   # revert \u002Fetc\u002Fpasswd via the same primitive\n\nAdds passwordless uid-0 user `sick` to `\u002Fetc\u002Fpasswd`, then `exec su - sick`.\nPAM `nullok` accepts the empty password silently — no input needed. The\n`sick` line stays in `\u002Fetc\u002Fpasswd` — re-run drops straight back into root.\nState for `--clean` is stashed at `\u002Fvar\u002Ftmp\u002F.cf2.state`.\n\nNo sudo. esp4 \u002F xfrm_user \u002F xfrm_algo autoload via the userns netlink\npath.\n\n## Tested\n\n| distro             | kernel               | result           |\n|--------------------|----------------------|------------------|\n| Ubuntu 22.04 LTS   | 5.15.0-176-generic   | not vulnerable*  |\n| Ubuntu 24.04 LTS   | 6.8.0-110-generic    | root             |\n| Debian 13          | 6.12.74              | root             |\n| Arch               | 6.19.11-arch1-1      | root             |\n| Fedora 43          | 6.19.14-200.fc43     | root             |\n| Ubuntu 26.04 LTS   | 7.0.0-15-generic     | root             |\n\n\n\n## IPv6\n\nSame bug exists in `esp6_input` and is not covered by the v4 fix\n`f4c50a4034`. PoC in `ipv6\u002F`: `ipv6\u002Frun.sh` and `ipv6\u002Fcopyfail2v6.c`.\nUses `::1` loopback and `ip -6 xfrm`. ESP packet padded to >= 40 bytes\nto clear the `xfrm6_input.c:124` size gate.\n\n## Credits\n\nHyunwoo Kim (imv4bel) and Kuan-Ting Chen reported, tested,\nauthored the upstream fix.\n\nSteffen Klassert: IPsec maintainer, posted the fix to netdev\u002Fnet.git.\n\nBrad Spengler (@spendergrsec \u002F grsecurity): called it copyfail-class\nbefore anyone else read the commit.\n\nTheori \u002F Xint: original Copy Fail (CVE-2026-31431).\n","Copy Fail 2: Electric Boogaloo 是一个利用 Linux 内核漏洞实现本地权限提升的工具。它通过 xfrm ESP-in-UDP MSG_SPLICE_PAGES no-COW 快速路径，实现对任意可读文件的页缓存写入，从而在 `\u002Fetc\u002Fpasswd` 中添加一个无密码的 root 用户 `sick` 并切换到该用户。该项目与 CVE-2026-31431 属于同一类别但涉及不同的子系统。适用于需要进行安全测试和漏洞研究的场景，特别是针对特定版本的 Linux 发行版。项目提供了详细的构建和运行指南，并支持 IPv6 环境下的测试。","2026-06-11 03:31:46","CREATED_QUERY"]