PoC Code Published for DirtyDecrypt Linux Kernel Flaw
PoC Code Published for DirtyDecrypt Linux Kernel Flaw
https://cyberpress.org/poc-code-dirtydecrypt-linux-kernel/
Publish Date: 2026-05-20 04:13:00
Source Domain: cyberpress.org
A working proof-of-concept exploit has been publicly released for DirtyDecrypt (DirtyCBC), a high-severity Linux kernel local privilege escalation vulnerability linked to CVE-2026-31635 that allows unprivileged local users to gain full root access on affected systems.
The PoC was developed and published on May 18, 2026, by the Zellic and V12 security team, who described the bug as “a rxgk pagecache write due to missing COW [copy-on-write] guard in rxgk_decrypt_skb.”
The exploit has been validated against Fedora and mainline Linux kernels, and the PoC code is hosted publicly on GitHub.
DirtyDecrypt refers to a local privilege escalation (LPE) vulnerability residing in the Linux kernel’s RxGK subsystem, the GSS-API-based security layer for RxRPC, the network transport used by the Andrew File System (AFS) client.
PoC Released for DirtyDecrypt Linux Kernel
The flaw sits specifically inside the rxgk_decrypt_skb() function, which handles decryption of incoming socket buffers (sk_buff) on the receive side.
The root cause is a missing copy-on-write (COW) guard: when decrypting an incoming socket buffer, the kernel writes directly to a shared page-cache page without first creating a private copy. said Moselwal.
Fedora Privilege Escalation Exploit (Source: Will Dormann)
This unguarded write can land in memory belonging to privileged processes, or in the page cache of sensitive privileged files such as /etc/shadow, /etc/sudoers, or SUID binaries, allowing an unprivileged local attacker to corrupt those pages and achieve root.
The more precise technical chain, per analysis by Delphos Labs, runs through rxgk_verify_response() → rxgk_extract_token() → rxgk_decrypt_skb() → skb_to_sgvec() → crypto_krb5_decrypt(), with the actual exploit leveraging decrypt-before-MAC over MSG_SPLICE_PAGES-aliased pages combined with an AES-CBC chosen-plaintext construction.
The V12 team did not publicly assign a CVE at disclosure,…
