CyberSecurity News

DirtyDecrypt Linux Kernel PoC Exploit Code Vulnerability Released

A working proof-of-concept (PoC) exploit for a high-severity Linux kernel local privilege escalation vulnerability is now available. This exploit, dubbed DirtyDecrypt (also tracked as DirtyCBC),...

Emy Elsamnoudy
Emy Elsamnoudy
May 19, 2026 3 Min Read
2 0

A working proof-of-concept (PoC) exploit for a high-severity Linux kernel local privilege escalation vulnerability is now available. This exploit, dubbed DirtyDecrypt (also tracked as DirtyCBC), enables local attackers to gain full root access on affected systems.

Security analyst Will Dormann technically attributes the flaw to CVE-2026-31635, a patch for which was quietly merged upstream on April 25, 2026.

DirtyDecrypt resides in the rxgk_decrypt_skb() function within the Linux kernel’s RxGK subsystem, the GSS-API-based security layer for RxRPC, the network transport used by the Andrew File System (AFS) client.

Moselwal said that the root cause is a missing copy-on-write (COW) guard: when decrypting an incoming socket buffer (sk_buff), the kernel writes directly to a shared page-cache page without first creating a private copy.

This unguarded write lands in memory belonging to privileged processes or in the page cache of privileged files, including /etc/shadow, /etc/sudoers, or SUID binaries — allowing a local unprivileged user to corrupt and ultimately overwrite those pages to achieve root.

V12 described their finding as “rxgk pagecache write due to missing COW guard in rxgk_decrypt_skb” and reported it to kernel maintainers on May 9, 2026, only to be told it was a duplicate of an already-patched internal issue.

DirtyDecrypt Affected Distributions

Exploitation requires a Linux kernel compiled with CONFIG_RXGK=y or CONFIG_RXGK=m. In practice, this affects rolling-release distributions that track upstream kernel development closely:

  • Fedora (including Rawhide and Workstation, pre-patch)
  • Arch Linux (before pacman -Syu)
  • openSUSE Tumbleweed (before zypper dup)
  • Systems using mainline kernel PPAs or ELRepo kernel-ml on RHEL/CentOS Stream

Stable enterprise distributions — Debian Stable, RHEL 8/9, and Ubuntu LTS — ship with RxGK disabled and are generally not affected by default. Administrators can verify exposure by running:

bashzcat /proc/config.gz | grep RXGK

The operational threat escalates significantly in container environments. On a Kubernetes worker node running a rolling-release kernel, a successful DirtyDecrypt exploitation chains into a full container escape: local root on the host grants access to every pod, every container runtime socket, and every Kubernetes secret mounted on that node, Moselwal added.

Developer workstations on Fedora or Arch commonly holding active kubectl contexts, AWS production profiles, and SSH keys represent the highest-risk targets in enterprise settings.

DirtyDecrypt is the fourth Linux kernel LPE in the same XFRM/ESP/rxgk attack surface within three weeks, belonging to the same vulnerability class as the actively exploited Copy Fail family.

Mitigations

The primary remediation is pulling the kernel update containing the April 25 upstream patch:

bash# Fedora
sudo dnf upgrade --refresh kernel kernel-core kernel-modules && sudo systemctl reboot

# Arch Linux
sudo pacman -Syu linux linux-headers && sudo systemctl reboot

# openSUSE Tumbleweed
sudo zypper dup && sudo systemctl reboot

For systems where patching is not immediately possible, blacklisting the rxrpc, esp4, and esp6 kernel modules provides a temporary workaround — though this will break IPsec VPN connections and AFS mounts.

Kubernetes operators should rebuild worker node images with the patched kernel and enforce pod security standards (restricted profile) cluster-wide, ensuring allowPrivilegeEscalation: false is set as a default across all workloads.

Linux users on Fedora, Arch, and openSUSE Tumbleweed should treat this as an immediate priority given the availability of public PoC code and the established exploitation precedent set by the closely related Copy Fail vulnerability.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityThreatVulnerability

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

No Comment! Be the first one.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts