{"id":249839,"date":"2026-05-19T13:29:00","date_gmt":"2026-05-19T17:29:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/19\/dirtydecrypt-linux-kernel-vulnerability-poc-exploit-code-released\/"},"modified":"2026-05-19T18:15:10","modified_gmt":"2026-05-19T22:15:10","slug":"dirtydecrypt-linux-kernel-vulnerability-poc-exploit-code-released","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/19\/dirtydecrypt-linux-kernel-vulnerability-poc-exploit-code-released\/","title":{"rendered":"DirtyDecrypt Linux Kernel Vulnerability PoC Exploit Code Released"},"content":{"rendered":"<p><a href=\"https:\/\/cybersecuritynews.com\/dirtydecrypt-linux-kernel-vulnerability\/\">DirtyDecrypt Linux Kernel Vulnerability PoC Exploit Code Released<\/a><\/p>\n<p><a href=\"https:\/\/cybersecuritynews.com\/dirtydecrypt-linux-kernel-vulnerability\/\">https:\/\/cybersecuritynews.com\/dirtydecrypt-linux-kernel-vulnerability\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-19 13:29:00<\/a><\/p>\n<p>Source Domain: <a href=\"cybersecuritynews.com\">cybersecuritynews.com<\/a><\/p>\n<p><span style=\"box-sizing: border-box; margin: 0px; padding: 0px;\">A working proof-of-concept (PoC) exploit for a high-severity Linux kernel local privilege escalation vulnerability dubbed DirtyDecrypt, also tracked as\u00a0Dir<\/span>tyCBC,\u00a0enables local attackers to gain full root access on affected systems.<\/p>\n<p>Security analyst Will Dormann technically attributes the flaw to CVE-2026-31635, a patch for which was quietly merged upstream on April 25, 2026.<\/p>\n<p>DirtyDecrypt resides in the rxgk_decrypt_skb() function within the Linux kernel\u2019s RxGK subsystem, the GSS-API-based security layer for RxRPC, the network transport used by the Andrew File System (AFS) client.<\/p>\n<p>Moselwal said that the root cause is a missing copy-on-write (COW) guard: when decrypting an incoming socket buffer (sk_buff), the kernel writes directly to a shared page-cache page without first creating a private copy.<\/p>\n<p>This unguarded write lands in memory belonging to privileged processes or in the page cache of privileged files, including \/etc\/shadow, \/etc\/sudoers, or SUID binaries \u2014 allowing a local unprivileged user to corrupt and ultimately overwrite those pages to achieve root.<\/p>\n<p>V12 described their finding as \u201crxgk pagecache write due to missing COW guard in rxgk_decrypt_skb\u201d and reported it to kernel maintainers on May 9, 2026, only to be told it was a duplicate of an already-patched internal issue.<\/p>\n<h2 class=\"wp-block-heading\" id=\"affected-distributions-and-scope\"><strong>DirtyDecrypt Affected Distributions<\/strong><\/h2>\n<p>Exploitation requires a Linux kernel compiled with CONFIG_RXGK=y or CONFIG_RXGK=m. In practice, this affects rolling-release distributions that track upstream kernel development closely:<\/p>\n<ul class=\"wp-block-list\">\n<li>Fedora (including Rawhide and Workstation, pre-patch)<\/li>\n<li>Arch Linux (before pacman -Syu)<\/li>\n<li>openSUSE Tumbleweed (before zypper dup)<\/li>\n<li>Systems using mainline kernel PPAs or ELRepo kernel-ml on RHEL\/CentOS Stream<\/li>\n<\/ul>\n<p>Stable enterprise distributions \u2014 Debian Stable, RHEL 8\/9, and Ubuntu LTS \u2014 ship with RxGK disabled and are generally not affected by default. Administrators can verify exposure by running:<\/p>\n<p>bashzcat&#8230;<br \/>\n<br \/><a href=\"https:\/\/cybersecuritynews.com\/dirtydecrypt-linux-kernel-vulnerability\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>DirtyDecrypt Linux Kernel Vulnerability PoC Exploit Code Released https:\/\/cybersecuritynews.com\/dirtydecrypt-linux-kernel-vulnerability\/ Publish Date: 2026-05-19 13:29:00 Source Domain:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":249841,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"http:\/\/cybersecuritynews.com\/wp-content\/uploads\/2026\/05\/DirtyDecrypt-Linux-Kernel-Vulnerability.webp","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[99,144,90,91,31,97,89,71,98,57,79,27],"class_list":["post-249839","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-arch-linux","tag-centos","tag-cve","tag-debian","tag-exploit","tag-fedora","tag-flaw","tag-linux","tag-opensuse","tag-security","tag-ubuntu","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/249839"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=249839"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/249839\/revisions"}],"predecessor-version":[{"id":249843,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/249839\/revisions\/249843"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/249841"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=249839"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=249839"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=249839"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}