DirtyDecrypt Linux Kernel Vulnerability PoC Exploit Code Released
Cybersecurity NewsArchived May 19, 2026✓ Full text saved
A working proof-of-concept (PoC) exploit for a high-severity Linux kernel local privilege escalation vulnerability dubbed DirtyDecrypt, also tracked as DirtyCBC, enables local attackers to gain full root access on affected systems. Security analyst Will Dormann technically attributes the flaw to CVE-2026-31635, a patch for which was quietly merged upstream on April 25, 2026. DirtyDecrypt resides in the […] The post DirtyDecrypt Linux Kernel Vulnerability PoC Exploit Code Released appeared first
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
DirtyDecrypt Linux Kernel Vulnerability PoC Exploit Code Released
By Guru Baran
May 19, 2026
A working proof-of-concept (PoC) exploit for a high-severity Linux kernel local privilege escalation vulnerability dubbed DirtyDecrypt, also tracked as DirtyCBC, enables local attackers to gain full root access on affected systems.
Security analyst Will Dormann technically attributes the flaw to CVE-2026-31635, a patch for which was quietly merged upstream on April 25, 2026.
DirtyDecrypt resides in the rxgk_decrypt_skb() function within the Linux kernel’s RxGK subsystem, the GSS-API-based security layer for RxRPC, the network transport used by the Andrew File System (AFS) client.
Moselwal said that the root cause is a missing copy-on-write (COW) guard: when decrypting an incoming socket buffer (sk_buff), the kernel writes directly to a shared page-cache page without first creating a private copy.
This unguarded write lands in memory belonging to privileged processes or in the page cache of privileged files, including /etc/shadow, /etc/sudoers, or SUID binaries — allowing a local unprivileged user to corrupt and ultimately overwrite those pages to achieve root.
V12 described their finding as “rxgk pagecache write due to missing COW guard in rxgk_decrypt_skb” and reported it to kernel maintainers on May 9, 2026, only to be told it was a duplicate of an already-patched internal issue.
DirtyDecrypt Affected Distributions
Exploitation requires a Linux kernel compiled with CONFIG_RXGK=y or CONFIG_RXGK=m. In practice, this affects rolling-release distributions that track upstream kernel development closely:
Fedora (including Rawhide and Workstation, pre-patch)
Arch Linux (before pacman -Syu)
openSUSE Tumbleweed (before zypper dup)
Systems using mainline kernel PPAs or ELRepo kernel-ml on RHEL/CentOS Stream
Stable enterprise distributions — Debian Stable, RHEL 8/9, and Ubuntu LTS — ship with RxGK disabled and are generally not affected by default. Administrators can verify exposure by running:
bashzcat /proc/config.gz | grep RXGK
The operational threat escalates significantly in container environments. On a Kubernetes worker node running a rolling-release kernel, a successful DirtyDecrypt exploitation chains into a full container escape: local root on the host grants access to every pod, every container runtime socket, and every Kubernetes secret mounted on that node, Moselwal added.
Developer workstations on Fedora or Arch commonly holding active kubectl contexts, AWS production profiles, and SSH keys represent the highest-risk targets in enterprise settings.
DirtyDecrypt is the fourth Linux kernel LPE in the same XFRM/ESP/rxgk attack surface within three weeks, belonging to the same vulnerability class as the actively exploited Copy Fail family.
Mitigations
The primary remediation is pulling the kernel update containing the April 25 upstream patch:
bash# Fedora
sudo dnf upgrade --refresh kernel kernel-core kernel-modules && sudo systemctl reboot
# Arch Linux
sudo pacman -Syu linux linux-headers && sudo systemctl reboot
# openSUSE Tumbleweed
sudo zypper dup && sudo systemctl reboot
For systems where patching is not immediately possible, blacklisting the rxrpc, esp4, and esp6 kernel modules provides a temporary workaround — though this will break IPsec VPN connections and AFS mounts.
Kubernetes operators should rebuild worker node images with the patched kernel and enforce pod security standards (restricted profile) cluster-wide, ensuring allowPrivilegeEscalation: false is set as a default across all workloads.
Linux users on Fedora, Arch, and openSUSE Tumbleweed should treat this as an immediate priority given the availability of public PoC code and the established exploitation precedent set by the closely related Copy Fail vulnerability.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
vulnerability
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
Microsoft Confirms Windows 11 Update Fails With Error 0x800f0922
Critical WordPress Plugin Vulnerability Exposes Websites to Authentication Bypass Attacks
Google Enhances Android Mobile Security with New AI-Powered Protections
VMware Fusion Vulnerability Let Attackers Escalate Privilege to Root
Google Project Zero Discloses Zero-Click Exploit Chain for Pixel 10 Devices
Latest News
ANY.RUN
3 Tactics Elite SOCs Use to Operationalize Threat Intelligence
Cyber Security News
Operation Ramz Seizes 53 Servers Linked to Cyber Scams and Malware Threats
Cyber Security News
Critical PostgreSQL Vulnerabilities Enables Code Execution and SQL Injections
Press Release
Two-Thirds of Nonhuman Accounts Are Unseen and Unmanaged, According to Orchid Security’s Identity Gap Report
Cyber Security
600+ npm Packages Compromised in New Mini Shai-Hulud Supply Chain Attack