CVE-2026-31431. 100% Reliable Linux LPE — no race, no per-distro offsets, page-cache write that bypasses on-disk file-integrity tools and crosses containers. Found by Xint Code.
Very quick cursory review: The python script appears to decompress what might be an ELF from those compressed bytes. Then it opens a cryptography socket (AF_ALG) with the kernel and sends that whole thing.
So the exploit is in the binary data and would likely take some skilled Linux engineers to decompile it and figure out the exploit.
I’m not entirely sure why they would obfuscate it. Maybe they think it helps with responsible disclosure so people can’t make something more useful than the PoC?
I can at least tell you what it does because I tested it:
It override your /usr/bin/su so that it now let you run as root with no password.
My guess is that the payload is an su command that was modified to run without requiring password but it’s also possible - though unlikely - that it just patch your existing su.
either way if you will run the script, you need to backup your existing su command first.
Correction: The script doesn’t permanently modify the su file instead it modifies a cached copy of the file in memory. restarting your device or doing echo 3 > /proc/sys/vm/drop_caches to flush the cache restore the su file to its original state
I’m not sure how much of it is obfuscation and how much of it is golfing. Ze golfed it so ze could make the pretty valid “just 732 bytes python script” claim.
The compression could very well be just a way to write a binary in Python plaintext. ChatGPT claims it just attempts to sudo, run /bin/sh if that succeeds, and exit if that fails.
I agree. This seems fishy to me. I am concerned about compressed code in a public disclosure like this. Also it seems like all the documentation was written by AI.
The Python script to check if you are vulnerable is extremely suspicious and hard to decipher.
deleted by creator
Very quick cursory review: The python script appears to decompress what might be an ELF from those compressed bytes. Then it opens a cryptography socket (
AF_ALG) with the kernel and sends that whole thing.So the exploit is in the binary data and would likely take some skilled Linux engineers to decompile it and figure out the exploit.
I’m not entirely sure why they would obfuscate it. Maybe they think it helps with responsible disclosure so people can’t make something more useful than the PoC?
I can at least tell you what it does because I tested it:
It override your /usr/bin/su so that it now let you run as root with no password.
My guess is that the payload is an su command that was modified to run without requiring password but it’s also possible - though unlikely - that it just patch your existing su.
either way if you will run the script, you need to backup your existing su command first.
Correction: The script doesn’t permanently modify the su file instead it modifies a cached copy of the file in memory. restarting your device or doing
echo 3 > /proc/sys/vm/drop_cachesto flush the cache restore the su file to its original stateI’m not sure how much of it is obfuscation and how much of it is golfing. Ze golfed it so ze could make the pretty valid “just 732 bytes python script” claim.
The compression could very well be just a way to write a binary in Python plaintext. ChatGPT claims it just attempts to sudo, run /bin/sh if that succeeds, and exit if that fails.
I agree. This seems fishy to me. I am concerned about compressed code in a public disclosure like this. Also it seems like all the documentation was written by AI.
The entire page is an advertisement for an AI tool that helped uncover it. Guess that’s the demonstration on how it augments a report.
Here it is after improving readability a little
https://pastebin.com/iW8BRrdX