PoC Exploit Released for DirtyDecrypt Linux Kernel Vulnerability

PoC Exploit Released for DirtyDecrypt Linux Kernel Vulnerability

https://gbhackers.com/poc-exploit-dirtydecrypt-linux-kernel-vulnerability/

Publish Date: 2026-05-20 02:48:00

Source Domain: gbhackers.com

PoC exploit code for the DirtyDecrypt (DirtyCBC) Linux kernel vulnerability has been released publicly, turning a previously theoretical local privilege escalation into a practical, copy‑paste exploit path to root on specific Linux distributions.

DirtyDecrypt (also called DirtyCBC) is a local privilege escalation (LPE) in the Linux kernel’s RxGK security layer for the RxRPC transport used by the Andrew File System (AFS).

The issue is currently associated with CVE‑2026‑31635 because the NVD entry links directly to the public PoC, even though the original CVE text describes a related denial‑of‑service bug in the same code path.

The bug lives in rxgk_decrypt_skb(), where the kernel decrypts incoming RxGK RESPONSE tokens over sk_buff data that may alias page‑cache pages supplied via MSG_SPLICE_PAGES.

Because the code decrypts before verifying the MAC and lacks a proper copy‑on‑write guard, those decrypted bytes can be written directly into page‑cache pages belonging to other processes or to privileged files such as /etc/shadow or SUID binaries.

PoC Exploit for DirtyDecrypt

The Zellic and V12 security team, led by Luna Tong (cts/gf_256), has released a working PoC that exploits this page‑cache write primitive to achieve full root on affected systems. The exploit drives the RESPONSE‑packet path rxgk_verify_response() → rxgk_extract_token() → rxgk_decrypt_skb() → skb_to_sgvec() → crypto_krb5_decrypt(), forcing the kernel to decrypt attacker‑controlled ciphertext into aliased page‑cache pages.

Delphos Labs’ primary analysis shows that the attack combines decrypt‑before‑MAC semantics with an AES‑CBC chosen‑plaintext construction using an attacker‑controlled key on the server side.

In practice, the PoC poisons the page cache of a readable SUID‑root binary and then executes it, giving the attacker root without a brute‑force component or a race on copy‑on‑write.

Affected…

Source