DirtyDecrypt: PoC Released for yet another Linux flaw
DirtyDecrypt: PoC Released for yet another Linux flaw
Publish Date: 2026-05-20 04:11:00
Source Domain: securityaffairs.com
DirtyDecrypt: PoC Released for yet another Linux flaw
Pierluigi Paganini
May 20, 2026
DirtyDecrypt (CVE-2026-31635): working PoC out for a Linux kernel LPE flaw. Missing COW guard in rxgk_decrypt_skb lets local attackers reach root.
After Copy Fail, Dirty Frag, and Fragnesia, here comes DirtyDecrypt, another local privilege escalation vulnerability in the kernel, this time with a working proof-of-concept already out in the open.
The flaw was discovered and reported on May 9, 2026 by the Zellic and V12 security team, who kernel maintainers then told that it was a duplicate of something already fixed upstream. No CVE was assigned directly to their report, but the National Vulnerability Database includes a link to the DirtyDecrypt PoC in the record for CVE-2026-31635 (CVSS 7.5), making the connection clear enough. The exploit code is publicly available on GitHub.
“DirtyDecrypt, also known as DirtyCBC, is a variant of CopyFail / DirtyFrag / Fragnesia. We found and reported this on May 9, 2026, but was informed it was a duplicate by the maintainers. We’re releasing it now since it’s patched on mainline.” reads the PoC description. “It’s a rxgk pagecache write due to missing COW guard in rxgk_decrypt_skb. See poc.c for more details.”
The vulnerability resides in the function rxgk_decrypt_skb() that is responsible for decrypting incoming socket buffers in the rxgk subsystem. The core issue is a missing copy-on-write (COW) guard, the mechanism the kernel uses to prevent writes to shared memory pages from bleeding into other processes’ data.
“The specific fault sits in rxgk_decrypt_skb(), the function that decrypts an incoming sk_buff (socket buffer) on the receive side. In this code path the kernel handles memory pages that are partly shared with the page cache of other processes — a normal Linux optimisation protected by copy-on-write: as soon as a write to a…
