MCP server
This release our very own cdelafuente-r7 finished implementing the Metasploit MCP Server (msfmcpd), bringing Model Context Protocol support to Metasploit Framework. MCP lets AI applications like Claude, Cursor, or your own custom agents query Metasploit data. Think of it as a middleware layer that exposes 8 standardized tools for searching modules and pulling reconnaissance data, all built on the official Ruby MCP SDK.
This first iteration is read-only, covering modules, hosts, services, vulnerabilities, and more. Tools for module execution, session interaction, and database modifications are on the roadmap for a future release. Full details are available in the documentation.
Copy Fail
Earlier this week, details of a new and high profile Linux LPE were released alongside a public PoC. The bug, nicknamed Copy Fail and identified by CVE-2026-31431, is a logic flaw in the cryptographic APIs exposed by the Linux Kernel. Metasploit has shipped a local exploit this week to leverage the flaw on AMD64 and AARCH64 targets with additional architectures planned for future releases. The exploit, which replaces the ‘su’ binary in the page cache with a small ELF file, allows users to specify command payloads for execution and will automatically determine the appropriate target architecture.
New module content (3)
Microsoft Windows HTTP to LDAP Relay
Author: jheysel-r7
Type: Auxiliary
Pull request: #21323 contributed by jheysel-r7
Path: server/relay/http_to_ldap
Description: This adds a new NTLM relay module that relays from HTTP to LDAP. On success, an authenticated LDAP session is opened which allows the operator to interact with the LDAP service in the context of the relayed identity.
Copy Fail AF_ALG + authencesn Page-Cache Write
Authors: Diego Ledda, Spencer McIntyre, Xint Code, and rootsecdev
Type: Exploit
Pull request: #21395 contributed by zeroSteiner
Path: linux/local/cve_2026_31431_copy_fail
AttackerKB reference: CVE-2026-31431
Description: Adds a module for CVE-2026-31431 (The Copy Fail LPE for Linux), a local privilege escalation affecting almost every Linux Kernel since 2017.
Linux Execute Command
Author: Spencer McIntyre
Type: Payload (Single)
Pull request: #21395 contributed by zeroSteiner
Path: linux/aarch64/exec
Description: Adds a module for CVE-2026-31431 (The Copy Fail LPE for Linux), a local privilege escalation affecting almost every Linux Kernel since 2017.
Enhancements and features (5)
- #21315 from cdelafuente-r7 – This adds a read-only MCP server for Metasploit capable of retrieving information from the loaded modules and database.
- #21352, #21353, #21355, #21359 from adfoster-r7 – Improves multiple module check code messages and statuses.
Bugs fixed (0)
None
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro
