DirtyDecrypt Linux Kernel Vulnerability PoC Exploit Code Released

Staff Editor 2026-05-19
DirtyDecrypt Linux Kernel Vulnerability PoC Exploit Code Released

DirtyDecrypt Linux Kernel Vulnerability PoC Exploit Code Released

https://cybersecuritynews.com/dirtydecrypt-linux-kernel-vulnerability/

Publish Date: 2026-05-19 13:29:00

Source Domain: cybersecuritynews.com

A working proof-of-concept (PoC) exploit for a high-severity Linux kernel local privilege escalation vulnerability dubbed DirtyDecrypt, also tracked as DirtyCBC, enables local attackers to gain full root access on affected systems.

Security analyst Will Dormann technically attributes the flaw to CVE-2026-31635, a patch for which was quietly merged upstream on April 25, 2026.

DirtyDecrypt resides in the rxgk_decrypt_skb() function within the Linux kernel’s RxGK subsystem, the GSS-API-based security layer for RxRPC, the network transport used by the Andrew File System (AFS) client.

Moselwal said that the root cause is a missing copy-on-write (COW) guard: when decrypting an incoming socket buffer (sk_buff), the kernel writes directly to a shared page-cache page without first creating a private copy.

This unguarded write lands in memory belonging to privileged processes or in the page cache of privileged files, including /etc/shadow, /etc/sudoers, or SUID binaries — allowing a local unprivileged user to corrupt and ultimately overwrite those pages to achieve root.

V12 described their finding as “rxgk pagecache write due to missing COW guard in rxgk_decrypt_skb” and reported it to kernel maintainers on May 9, 2026, only to be told it was a duplicate of an already-patched internal issue.

DirtyDecrypt Affected Distributions

Exploitation requires a Linux kernel compiled with CONFIG_RXGK=y or CONFIG_RXGK=m. In practice, this affects rolling-release distributions that track upstream kernel development closely:

  • Fedora (including Rawhide and Workstation, pre-patch)
  • Arch Linux (before pacman -Syu)
  • openSUSE Tumbleweed (before zypper dup)
  • Systems using mainline kernel PPAs or ELRepo kernel-ml on RHEL/CentOS Stream

Stable enterprise distributions — Debian Stable, RHEL 8/9, and Ubuntu LTS — ship with RxGK disabled and are generally not affected by default. Administrators can verify exposure by running:

bashzcat…

Source

More Stories

AI Agent Discovery Gets Open DNS Standard: DNS-AID Launches Under Linux Foundation

AI Agent Discovery Gets Open DNS Standard: DNS-AID Launches Under Linux Foundation

Staff Editor 2026-06-06
Proton Drive just got 3x faster, and Linux users will finally get what they’ve been asking for

Proton Drive just got 3x faster, and Linux users will finally get what they’ve been asking for

Staff Editor 2026-06-06
Craving Hyprland But Don’t Want to Configure It? Try Dank Linux

Craving Hyprland But Don’t Want to Configure It? Try Dank Linux

Staff Editor 2026-06-06

Terms and Conditions - Privacy Policy