{"id":250178,"date":"2026-05-20T02:48:00","date_gmt":"2026-05-20T06:48:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/20\/poc-exploit-released-for-dirtydecrypt-linux-kernel-vulnerability\/"},"modified":"2026-05-20T06:00:09","modified_gmt":"2026-05-20T10:00:09","slug":"poc-exploit-released-for-dirtydecrypt-linux-kernel-vulnerability","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/20\/poc-exploit-released-for-dirtydecrypt-linux-kernel-vulnerability\/","title":{"rendered":"PoC Exploit Released for DirtyDecrypt Linux Kernel Vulnerability"},"content":{"rendered":"<p><a href=\"https:\/\/gbhackers.com\/poc-exploit-dirtydecrypt-linux-kernel-vulnerability\/\">PoC Exploit Released for DirtyDecrypt Linux Kernel Vulnerability<\/a><\/p>\n<p><a href=\"https:\/\/gbhackers.com\/poc-exploit-dirtydecrypt-linux-kernel-vulnerability\/\">https:\/\/gbhackers.com\/poc-exploit-dirtydecrypt-linux-kernel-vulnerability\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-20 02:48:00<\/a><\/p>\n<p>Source Domain: <a href=\"gbhackers.com\">gbhackers.com<\/a><\/p>\n<p>PoC exploit code for the DirtyDecrypt (DirtyCBC) Linux kernel vulnerability has been released publicly, turning a previously theoretical local privilege escalation into a practical, copy\u2011paste exploit path to root on specific Linux distributions.<\/p>\n<p>DirtyDecrypt (also called\u00a0DirtyCBC) is a local privilege escalation (LPE) in the Linux kernel\u2019s RxGK security layer for the RxRPC transport used by the Andrew File System (AFS). <\/p>\n<p>The issue is currently associated with CVE\u20112026\u201131635 because the NVD entry links directly to the public PoC, even though the original CVE text describes a related denial\u2011of\u2011service bug in the same code path.<\/p>\n<p>The bug lives in\u00a0rxgk_decrypt_skb(), where the kernel decrypts incoming RxGK RESPONSE tokens over\u00a0sk_buff\u00a0data that may alias page\u2011cache pages supplied via\u00a0MSG_SPLICE_PAGES. <\/p>\n<p>Because the code decrypts\u00a0before\u00a0verifying the MAC and lacks a proper copy\u2011on\u2011write guard, those decrypted bytes can be written directly into page\u2011cache pages belonging to other processes or to privileged files such as\u00a0\/etc\/shadow\u00a0or SUID binaries.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-poc-exploit-for-dirtydecrypt\"><strong>PoC Exploit for DirtyDecrypt<\/strong><\/h2>\n<p>The Zellic and V12 security team, led by Luna Tong (cts\/gf_256), has released a working PoC that exploits this page\u2011cache write primitive to achieve full root on affected systems. The exploit drives the RESPONSE\u2011packet path\u00a0rxgk_verify_response()\u00a0\u2192\u00a0rxgk_extract_token()\u00a0\u2192\u00a0rxgk_decrypt_skb()\u00a0\u2192\u00a0skb_to_sgvec()\u00a0\u2192\u00a0crypto_krb5_decrypt(), forcing the kernel to decrypt attacker\u2011controlled ciphertext into aliased page\u2011cache pages.<\/p>\n<p>Delphos Labs\u2019 primary analysis shows that the attack combines decrypt\u2011before\u2011MAC semantics with an AES\u2011CBC chosen\u2011plaintext construction using an attacker\u2011controlled key on the server side. <\/p>\n<p>In practice, the PoC poisons the page cache of a readable SUID\u2011root binary and then executes it, giving the attacker root without a brute\u2011force component or a race on copy\u2011on\u2011write.<\/p>\n<p id=\"h-affected-systems-and-configurations\"><strong>Affected&#8230;<\/strong><\/p>\n<p><a href=\"https:\/\/gbhackers.com\/poc-exploit-dirtydecrypt-linux-kernel-vulnerability\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>PoC Exploit Released for DirtyDecrypt Linux Kernel Vulnerability https:\/\/gbhackers.com\/poc-exploit-dirtydecrypt-linux-kernel-vulnerability\/ Publish Date: 2026-05-20 02:48:00 Source Domain:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":250180,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/gbhackers.com\/wp-content\/uploads\/2026\/05\/PoC-Exploit-Released-for-DirtyDecrypt-Linux-Kernel-Vulnerability-1.webp","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[90,31,71,57,27],"class_list":["post-250178","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-cve","tag-exploit","tag-linux","tag-security","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/250178"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=250178"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/250178\/revisions"}],"predecessor-version":[{"id":250181,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/250178\/revisions\/250181"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/250180"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=250178"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=250178"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=250178"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}