Exploit for Incorrect Resource Transfer Between Spheres in Linux Linux_Kernel CVE-2026-31431

Name: Exploit for Incorrect Resource Transfer Between Spheres in Linux Linux_Kernel CVE-2026-31431
Rating: 5 (7 reviews)
2026-06-24 | CVSS 7.8
## https://sploitus.com/exploit?id=4BA3261D-2DE6-5D66-AE25-4FA760E8F87D
# rootpacket (CVE-2026-31431)

A Linux Docker-to-host cryptojacking toolkit captured from live attacks on [Kinryū Labs](https://kinryu.sh) honeypots. It breaks in through an exposed Docker Engine API, escapes the container to root the host with **CVE-2026-31431**, installs a kernel rootkit, and runs an XMRig Monero miner.

**Full technical analysis:** https://kinryu.sh/reports/rootpacket-linux-cryptojacking-rootkit

`TLP:CLEAR`

> ## ⚠️ This repository contains live malware
>
> Every file here is functional, hostile code, including a working privilege-escalation exploit. Handle it **only** inside an isolated, disposable VM with no real network access and a snapshot to roll back to. Never on a host, production system, or network you care about. **You assume all risk.**
>
> If you run Linux, **patch CVE-2026-31431 first** (kernel 6.18.22 / 6.19.12 / 7.0+, or your distro's backport) before going near `getroot`.

## Contents

| File | What it is |
|------|------------|
| `setup.sh` | Installer / orchestrator. Picks root vs userland mode and lays down persistence. |
| `getroot` | ⚠️ Working LPE exploit for **CVE-2026-31431** ("Copy Fail"): an AF_ALG page-cache write that patches `/usr/bin/su` in memory. Also escapes containers to the host. |
| `xrandom` | XMRig-based Monero miner, UPX-packed, renamed to blend in. |
| `killservice.sh` | Competitor eviction + host hardening: kills rival miners, then closes the exposed services (including Docker 2375) it came in through. |
| `kernel/` | `stealth.c` LKM rootkit (disguised as `intel_uncore_freq_aux`) and its DKMS installer. Hides processes and fakes `/proc/stat` + `/proc/meminfo`. |
| `rootpacket.tar.gz` | The packaged toolkit, as delivered from the payload host. |

## Hashes

| File | SHA-256 |
|------|---------|
| `getroot` | `dda96d8a4bcc39dc7679347a4386bf1024152d2ccc46d333725ad0cda855d952` |
| `xrandom` | `ec3ef3dce99fa6cbc480f0f0b0c292676afed68704c44396271c7dc6afea2937` |
| `rootpacket.tar.gz` | `e2d0dab6b29df89d123fe8581047a03ac9b89ae8fa0d1f334b5aefbb93152857` |

`rootpacket.tar.gz`: MD5 `aa09915de9ce9dba8b62995e17fe9b97`, 5,243,465 bytes.

## What it does

- **Delivery:** exposed Docker Engine API on TCP 2375 → a privileged container that bind-mounts host root (`-v /:/host --pid host`) → `chroot /host` → pulls and runs this toolkit.
- **Privilege escalation:** `getroot` exploits CVE-2026-31431, a deterministic 4-byte page-cache write in the AF_ALG `algif_aead` interface (`authencesn(hmac(sha256),cbc(aes))`), to patch `/usr/bin/su` in memory and run shellcode as root. The on-disk file is never touched, so file-integrity monitoring sees nothing. Because the page cache is host-global, the same bug escapes an unprivileged container to the host.
- **Stealth:** the LKM rootkit hides the miner's process and files and fakes CPU/RAM in `/proc`, so `top` shows a calm box.
- **Impact:** XMRig Monero mining as root; `killservice.sh` evicts rival miners and locks down other exposed services.

Affected kernels: Linux 4.14 to 6.19.11. Fixed in 6.18.22 / 6.19.12 / 7.0+.

## Responsible use

For defensive research, detection engineering, and education only. Do not use these samples, the exploit, or the techniques against systems you do not own or are not explicitly authorised to test. You are responsible for complying with the law in your jurisdiction (CFAA, Computer Misuse Act, and equivalents).

These samples were authored by third-party threat actors and are reproduced unmodified for analysis.

## Contact

Corrections, sample requests, or takedown: **security@kinryu.sh** · [kinryu.sh](https://kinryu.sh)