Skip to content

DirtyDecrypt: Proof-of-Concept for Critical Linux Kernel Vulnerability Released

Bottom Line: The DirtyDecrypt exploit for CVE-2026-31635 is now public. The critical Linux kernel vulnerability enables local privilege escalation through missing copy-on-write protection and affects Fedora, Arch Linux, and openSUSE Tumbleweed with CONFIG_RXGK enabled.

A proof-of-concept exploit for the Linux kernel vulnerability CVE-2026-31635 is now publicly available. The security flaw enables local privilege escalation and affects distributions with CONFIG_RXGK enabled, including Fedora, Arch Linux, and openSUSE Tumbleweed.

The vulnerability known as DirtyDecrypt (also DirtyCBC) was discovered by security teams Zellic and V12 and reported on May 9, 2026. It results from missing copy-on-write protection in the rxgk_decrypt_skb() function, which decrypts incoming socket buffers upon receipt.

The core problem lies in improper handling of memory pages shared with the page cache of other processes. Normally, a copy-on-write mechanism protects such pages: upon writing, a private copy is automatically created to prevent data leaks. However, this protection is missing in rxgk_decrypt_skb(). This enables attackers to write data directly into the memory of privileged processes or into the page cache of privileged files such as /etc/shadow, /etc/sudoers, or SUID binaries, leading to privilege escalation.

The vulnerability (CVSS score: 7.5) is classified as a variant of several related flaws: Copy Fail (CVE-2026-31431), Dirty Frag (CVE-2026-43284 and CVE-2026-43500), and Fragnesia (CVE-2026-46300). In containerized environments, the vulnerability could provide a path to pod escape on vulnerable worker nodes. Public disclosure followed an embargo conflict when a merged patch was independently analyzed.

Share on: