{"id":249532,"date":"2026-05-19T10:56:00","date_gmt":"2026-05-19T14:56:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/19\/dirtydecrypt-poc-released-for-linux-kernel-cve-2026-31635-lpe-vulnerability\/"},"modified":"2026-05-19T11:55:07","modified_gmt":"2026-05-19T15:55:07","slug":"dirtydecrypt-poc-released-for-linux-kernel-cve-2026-31635-lpe-vulnerability","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/19\/dirtydecrypt-poc-released-for-linux-kernel-cve-2026-31635-lpe-vulnerability\/","title":{"rendered":"DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/dirtydecrypt-poc-released-for-linux.html\">DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/dirtydecrypt-poc-released-for-linux.html\">https:\/\/thehackernews.com\/2026\/05\/dirtydecrypt-poc-released-for-linux.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-19 10:56:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>Proof-of-concept (PoC) exploit code has now been released for a recently patched security flaw in the Linux kernel that could allow for local privilege escalation (LPE).<\/p>\n<p>Dubbed <strong>DirtyDecrypt<\/strong> (aka DirtyCBC), the vulnerability was discovered and reported by the Zellic and V12 security team on May 9, 2026, only to be informed by the maintainers that it was a duplicate of a vulnerability that had already been patched in the mainline.<\/p>\n<p>&#8220;It&#8217;s a rxgk pagecache write due to missing COW [copy-on-write] guard in rxgk_decrypt_skb,&#8221; Zellic co-founder Luna Tong (aka cts and gf_256) said in a description shared on GitHub.<\/p>\n<p>Although the CVE identifier was not disclosed, the vulnerability in question is CVE-2026-31635 (CVSS score: 7.5) based on the fact that the NIST National Vulnerability Database (NVD) includes a link to the DirtyDecrypt PoC in its CVE record.<\/p>\n<p>&#8220;The specific fault sits in rxgk_decrypt_skb(), the function that decrypts an incoming sk_buff (socket buffer) on the receive side,&#8221; Moselwal said.<\/p>\n<p>&#8220;In this code path the kernel handles memory pages that are partly shared with the page cache of other processes \u2013 a normal Linux optimisation protected by copy-on-write: as soon as a write to a shared page happens, a private copy is made beforehand so that the write doesn&#8217;t bleed into another process&#8217;s data.&#8221;<\/p>\n<p>The absence of this COW guard in rxgk_decrypt_skb means that data gets written to the memory of privileged processes or, depending on the exploit path, to the page cache of privileged files, such as etc\/shadow, \/etc\/sudoers, or a SUID binary, leading to local privilege escalation.<\/p>\n<p>DirtyDecrypt impacts only distributions with CONFIG_RXGK enabled, such as Fedora, Arch Linux, and openSUSE Tumbleweed. In containerized environments, worker nodes running a vulnerable version of Linux could provide a pathway to escape the pod.<\/p>\n<p>The vulnerability, per Zellic, is assessed to be a variant of Copy Fail (CVE-2026-31431), Dirty Frag aka Copy Fail 2 (CVE-2026-43284 and&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/dirtydecrypt-poc-released-for-linux.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability https:\/\/thehackernews.com\/2026\/05\/dirtydecrypt-poc-released-for-linux.html Publish Date: 2026-05-19 10:56:00 Source&#8230;<\/p>\n","protected":false},"author":1,"featured_media":249533,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgecVdZ_vIxfMWdiQkn7dC_SCueSRLBHaU01aHrtW1lUsx3_5gwbM6fG5NyV-VUhnDxvolk_tzMNWgINg06cwjKL1xIeDIFMiFH56IUO_zwZwJqiLnMp-VJcIWFjhulk1AHnlZ_ETgH3vg6Q6SHS4Ae-teRmaLDY4XZhONjoz4MeKvQLyzJ_YdckL8lk3fe\/s1600\/linux-poc.jpg","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[99,90,31,97,89,71,98,57,27],"class_list":["post-249532","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-arch-linux","tag-cve","tag-exploit","tag-fedora","tag-flaw","tag-linux","tag-opensuse","tag-security","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/249532"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=249532"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/249532\/revisions"}],"predecessor-version":[{"id":249534,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/249532\/revisions\/249534"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/249533"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=249532"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=249532"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=249532"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}