CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 19, 2026

DirtyDecrypt Linux Kernel Vulnerability PoC Exploit Code Released

Cybersecurity News Archived May 19, 2026 ✓ Full text saved

A working proof-of-concept (PoC) exploit for a high-severity Linux kernel local privilege escalation vulnerability dubbed DirtyDecrypt, also tracked as DirtyCBC, enables local attackers to gain full root access on affected systems. Security analyst Will Dormann technically attributes the flaw to CVE-2026-31635, a patch for which was quietly merged upstream on April 25, 2026. DirtyDecrypt resides in the […] The post DirtyDecrypt Linux Kernel Vulnerability PoC Exploit Code Released appeared first

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News DirtyDecrypt Linux Kernel Vulnerability PoC Exploit Code Released By Guru Baran May 19, 2026 A working proof-of-concept (PoC) exploit for a high-severity Linux kernel local privilege escalation vulnerability dubbed DirtyDecrypt, also tracked as DirtyCBC, enables local attackers to gain full root access on affected systems. Security analyst Will Dormann technically attributes the flaw to CVE-2026-31635, a patch for which was quietly merged upstream on April 25, 2026. DirtyDecrypt resides in the rxgk_decrypt_skb() function within the Linux kernel’s RxGK subsystem, the GSS-API-based security layer for RxRPC, the network transport used by the Andrew File System (AFS) client. Moselwal said that the root cause is a missing copy-on-write (COW) guard: when decrypting an incoming socket buffer (sk_buff), the kernel writes directly to a shared page-cache page without first creating a private copy. This unguarded write lands in memory belonging to privileged processes or in the page cache of privileged files, including /etc/shadow, /etc/sudoers, or SUID binaries — allowing a local unprivileged user to corrupt and ultimately overwrite those pages to achieve root. V12 described their finding as “rxgk pagecache write due to missing COW guard in rxgk_decrypt_skb” and reported it to kernel maintainers on May 9, 2026, only to be told it was a duplicate of an already-patched internal issue. DirtyDecrypt Affected Distributions Exploitation requires a Linux kernel compiled with CONFIG_RXGK=y or CONFIG_RXGK=m. In practice, this affects rolling-release distributions that track upstream kernel development closely: Fedora (including Rawhide and Workstation, pre-patch) Arch Linux (before pacman -Syu) openSUSE Tumbleweed (before zypper dup) Systems using mainline kernel PPAs or ELRepo kernel-ml on RHEL/CentOS Stream Stable enterprise distributions — Debian Stable, RHEL 8/9, and Ubuntu LTS — ship with RxGK disabled and are generally not affected by default. Administrators can verify exposure by running: bashzcat /proc/config.gz | grep RXGK The operational threat escalates significantly in container environments. On a Kubernetes worker node running a rolling-release kernel, a successful DirtyDecrypt exploitation chains into a full container escape: local root on the host grants access to every pod, every container runtime socket, and every Kubernetes secret mounted on that node, Moselwal added. Developer workstations on Fedora or Arch commonly holding active kubectl contexts, AWS production profiles, and SSH keys represent the highest-risk targets in enterprise settings. DirtyDecrypt is the fourth Linux kernel LPE in the same XFRM/ESP/rxgk attack surface within three weeks, belonging to the same vulnerability class as the actively exploited Copy Fail family. Mitigations The primary remediation is pulling the kernel update containing the April 25 upstream patch: bash# Fedora sudo dnf upgrade --refresh kernel kernel-core kernel-modules && sudo systemctl reboot # Arch Linux sudo pacman -Syu linux linux-headers && sudo systemctl reboot # openSUSE Tumbleweed sudo zypper dup && sudo systemctl reboot For systems where patching is not immediately possible, blacklisting the rxrpc, esp4, and esp6 kernel modules provides a temporary workaround — though this will break IPsec VPN connections and AFS mounts. Kubernetes operators should rebuild worker node images with the patched kernel and enforce pod security standards (restricted profile) cluster-wide, ensuring allowPrivilegeEscalation: false is set as a default across all workloads. Linux users on Fedora, Arch, and openSUSE Tumbleweed should treat this as an immediate priority given the availability of public PoC code and the established exploitation precedent set by the closely related Copy Fail vulnerability. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Microsoft Confirms Windows 11 Update Fails With Error 0x800f0922 Critical WordPress Plugin Vulnerability Exposes Websites to Authentication Bypass Attacks Google Enhances Android Mobile Security with New AI-Powered Protections VMware Fusion Vulnerability Let Attackers Escalate Privilege to Root Google Project Zero Discloses Zero-Click Exploit Chain for Pixel 10 Devices Latest News ANY.RUN 3 Tactics Elite SOCs Use to Operationalize Threat Intelligence Cyber Security News Operation Ramz Seizes 53 Servers Linked to Cyber Scams and Malware Threats Cyber Security News Critical PostgreSQL Vulnerabilities Enables Code Execution and SQL Injections Press Release Two-Thirds of Nonhuman Accounts Are Unseen and Unmanaged, According to Orchid Security’s Identity Gap Report Cyber Security 600+ npm Packages Compromised in New Mini Shai-Hulud Supply Chain Attack
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 19, 2026
    Archived
    May 19, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗