{"id":250132,"date":"2026-05-20T04:13:00","date_gmt":"2026-05-20T08:13:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/20\/poc-code-published-for-dirtydecrypt-linux-kernel-flaw\/"},"modified":"2026-05-20T05:00:18","modified_gmt":"2026-05-20T09:00:18","slug":"poc-code-published-for-dirtydecrypt-linux-kernel-flaw","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/20\/poc-code-published-for-dirtydecrypt-linux-kernel-flaw\/","title":{"rendered":"PoC Code Published for DirtyDecrypt Linux Kernel Flaw"},"content":{"rendered":"<p><a href=\"https:\/\/cyberpress.org\/poc-code-dirtydecrypt-linux-kernel\/\">PoC Code Published for DirtyDecrypt Linux Kernel Flaw<\/a><\/p>\n<p><a href=\"https:\/\/cyberpress.org\/poc-code-dirtydecrypt-linux-kernel\/\">https:\/\/cyberpress.org\/poc-code-dirtydecrypt-linux-kernel\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-20 04:13:00<\/a><\/p>\n<p>Source Domain: <a href=\"cyberpress.org\">cyberpress.org<\/a><\/p>\n<p>A working proof-of-concept exploit has been publicly released for DirtyDecrypt (DirtyCBC), a high-severity Linux kernel local privilege escalation vulnerability linked to CVE-2026-31635 that allows unprivileged local users to gain full root access on affected systems.<\/p>\n<p>The PoC was developed and published on May 18, 2026, by the\u00a0Zellic and V12 security team, who described the bug as \u201ca rxgk pagecache write due to missing COW [copy-on-write] guard in\u00a0rxgk_decrypt_skb.\u201d <\/p>\n<p>The exploit has been validated against Fedora and mainline Linux kernels, and the PoC code is hosted publicly on GitHub.<\/p>\n<p>DirtyDecrypt refers to a local privilege escalation (LPE) vulnerability residing in the Linux kernel\u2019s\u00a0RxGK subsystem, the GSS-API-based security layer for RxRPC, the network transport used by the Andrew File System (AFS) client. <\/p>\n<h2 class=\"wp-block-heading\" id=\"h-poc-released-for-dirtydecrypt-linux-kernel\"><strong>PoC Released for DirtyDecrypt Linux Kernel<\/strong><\/h2>\n<p>The flaw sits specifically inside the\u00a0rxgk_decrypt_skb()\u00a0function, which handles decryption of incoming socket buffers (sk_buff) on the receive side.<\/p>\n<p>The root cause is a missing copy-on-write (COW) guard: when decrypting an incoming socket buffer, the kernel writes directly to a shared page-cache page without first creating a private copy. said Moselwal.<\/p>\n<p>Fedora Privilege Escalation Exploit (Source: Will Dormann)<\/p>\n<p>This unguarded write can land in memory belonging to privileged processes, or in the page cache of sensitive privileged files such as\u00a0\/etc\/shadow,\u00a0\/etc\/sudoers, or SUID binaries, allowing an unprivileged local attacker to corrupt those pages and achieve root.<\/p>\n<p>The more precise technical chain, per analysis by Delphos Labs, runs through\u00a0rxgk_verify_response()\u00a0\u2192\u00a0rxgk_extract_token()\u00a0\u2192\u00a0rxgk_decrypt_skb()\u00a0\u2192\u00a0skb_to_sgvec()\u00a0\u2192\u00a0crypto_krb5_decrypt(), with the actual exploit leveraging decrypt-before-MAC over\u00a0MSG_SPLICE_PAGES-aliased pages combined with an AES-CBC chosen-plaintext construction.<\/p>\n<p>The V12 team did not publicly assign a CVE at disclosure,&#8230;<\/p>\n<p><a href=\"https:\/\/cyberpress.org\/poc-code-dirtydecrypt-linux-kernel\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>PoC Code Published for DirtyDecrypt Linux Kernel Flaw https:\/\/cyberpress.org\/poc-code-dirtydecrypt-linux-kernel\/ Publish Date: 2026-05-20 04:13:00 Source Domain:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":250133,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/cyberpress.org\/wp-content\/uploads\/2026\/05\/poc-code-published-for-dirtydecrypt-linux-kernel-flaw-6a0d63be7a7df.webp","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[90,31,97,89,71,57,27],"class_list":["post-250132","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-cve","tag-exploit","tag-fedora","tag-flaw","tag-linux","tag-security","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/250132"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=250132"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/250132\/revisions"}],"predecessor-version":[{"id":250134,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/250132\/revisions\/250134"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/250133"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=250132"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=250132"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=250132"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}