Unprivileged Linux LPE via xfrm ESP-in-UDP MSG_SPLICE_PAGES no-COW fast path. Page-cache write into any readable file. Overwrites a nologin line in /etc/passwd with sick::0:0:...:/:/bin/bash and su s into it. Same class as Copy Fail (CVE-2026-31431), different subsystem. Bug: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4 Build sudo apt install -y libssl-dev gcc gcc -O2 -Wall copyfail2.c -o copyfail2 -lcrypto gcc -O2 -Wall aa-rootns.c -o aa-rootns Run ./run.sh # install + drop into root shell ./run.sh --clean # revert /etc/passwd via the same primitive Adds passwordless uid-0 user sick to /etc/passwd , then exec su - sick . PAM nullok accepts the empty password silently — no input needed. The sick line stays in /etc/passwd — re-run drops straight back into root. State for --clean is stashed at /var/tmp/.cf2.state . No sudo. esp4 / xfrm_user / xfrm_algo autoload via the userns netlink path.…