{"id":250107,"date":"2026-05-20T04:11:00","date_gmt":"2026-05-20T08:11:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/20\/dirtydecrypt-poc-released-for-yet-another-linux-flaw\/"},"modified":"2026-05-20T04:35:10","modified_gmt":"2026-05-20T08:35:10","slug":"dirtydecrypt-poc-released-for-yet-another-linux-flaw","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/20\/dirtydecrypt-poc-released-for-yet-another-linux-flaw\/","title":{"rendered":"DirtyDecrypt: PoC Released for yet another Linux flaw"},"content":{"rendered":"<p><a href=\"https:\/\/securityaffairs.com\/192436\/uncategorized\/dirtydecrypt-poc-released-for-yet-another-linux-flaw.html\">DirtyDecrypt: PoC Released for yet another Linux flaw<\/a><\/p>\n<p><a href=\"https:\/\/securityaffairs.com\/192436\/uncategorized\/dirtydecrypt-poc-released-for-yet-another-linux-flaw.html\">https:\/\/securityaffairs.com\/192436\/uncategorized\/dirtydecrypt-poc-released-for-yet-another-linux-flaw.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-20 04:11:00<\/a><\/p>\n<p>Source Domain: <a href=\"securityaffairs.com\">securityaffairs.com<\/a><\/p>\n<p><h2>DirtyDecrypt: PoC Released for yet another Linux flaw<\/h2>\n<\/p>\n<p>\t\t\t\t\t\t\t<span> Pierluigi Paganini<\/span><br \/>\n\t\t\t\t\t\t\t<span><img decoding=\"async\" src=\"https:\/\/securityaffairs.com\/wp-content\/themes\/security_affairs\/images\/clock-icon.svg\" alt=\"\"\/> May 20, 2026<\/span><\/p>\n<p>\t\t\t\t\t\t<img decoding=\"async\" class=\"img-fluid mb-4\" src=\"https:\/\/i0.wp.com\/securityaffairs.com\/wp-content\/uploads\/2015\/11\/Linux-ransomware-encoder1.jpg?fit=620%2C413&#038;ssl=1\" alt=\"\"\/><\/p>\n<h2 class=\"wp-block-heading\">DirtyDecrypt (CVE-2026-31635): working PoC out for a Linux kernel LPE flaw. Missing COW guard in rxgk_decrypt_skb lets local attackers reach root.<\/h2>\n<p>After Copy Fail, Dirty Frag, and Fragnesia, here comes DirtyDecrypt, another local privilege escalation vulnerability in the kernel, this time with a working proof-of-concept already out in the open.<\/p>\n<p>The flaw was discovered and reported on May 9, 2026 by the Zellic and V12 security team, who kernel maintainers then told that it was a duplicate of something already fixed upstream. No CVE was assigned directly to their report, but the National Vulnerability Database includes a link to the DirtyDecrypt PoC in the record for CVE-2026-31635 (CVSS 7.5), making the connection clear enough. The exploit code is publicly available on GitHub.<\/p>\n<p>\u201cDirtyDecrypt, also known as DirtyCBC, is a variant of CopyFail \/ DirtyFrag \/ Fragnesia. We found and reported this on\u00a0May 9, 2026, but was informed it was a duplicate by the maintainers. We\u2019re releasing it now since it\u2019s patched on mainline.\u201d reads the PoC description. \u201cIt\u2019s a rxgk pagecache write due to missing COW guard in rxgk_decrypt_skb. See\u00a0poc.c\u00a0for more details.\u201d<\/p>\n<p>The vulnerability resides in the function rxgk_decrypt_skb() that is responsible for decrypting incoming socket buffers in the rxgk subsystem. The core issue is a missing copy-on-write (COW) guard, the mechanism the kernel uses to prevent writes to shared memory pages from bleeding into other processes\u2019 data.<\/p>\n<p>\u201cThe specific fault sits in\u00a0rxgk_decrypt_skb(), the function that decrypts an incoming\u00a0sk_buff\u00a0(socket buffer) on the receive side. In this code path the kernel handles memory pages that are partly shared with the page cache of other processes \u2014 a normal Linux optimisation protected by copy-on-write: as soon as a write to a&#8230;<\/p>\n<p><a href=\"https:\/\/securityaffairs.com\/192436\/uncategorized\/dirtydecrypt-poc-released-for-yet-another-linux-flaw.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>DirtyDecrypt: PoC Released for yet another Linux flaw https:\/\/securityaffairs.com\/192436\/uncategorized\/dirtydecrypt-poc-released-for-yet-another-linux-flaw.html Publish Date: 2026-05-20 04:11:00 Source Domain:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":250109,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/securityaffairs.com\/wp-content\/uploads\/2015\/11\/Linux-ransomware-encoder1.jpg","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[90,31,89,71,57,27],"class_list":["post-250107","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-cve","tag-exploit","tag-flaw","tag-linux","tag-security","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/250107"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=250107"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/250107\/revisions"}],"predecessor-version":[{"id":250110,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/250107\/revisions\/250110"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/250109"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=250107"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=250107"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=250107"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}