Bottom Line: A working exploit now exists for the Linux vulnerability DirtyDecrypt (CVE-2026-31635), primarily affecting distributions like Fedora, Arch Linux, and openSUSE Tumbleweed; users should install kernel updates.
A recently patched security vulnerability in the Linux kernel’s rxgk module now enables attackers to gain root access on vulnerable Linux systems. The DirtyDecrypt vulnerability was already patched in April, but a working exploit is now available.
The local privilege escalation vulnerability known as DirtyDecrypt or DirtyCBC has already been patched by kernel developers, but a working proof-of-concept exploit is now in circulation. The V12 security team discovered and reported the flaw on May 9, 2026, but learned it was a duplicate of an issue already fixed in the mainline. The vulnerability involves a missing copy-on-write safeguard in the rxgk_decrypt_skb function and is assigned CVE-2026-31635, which was patched on April 25.
The vulnerability affects Linux distributions that enable the CONFIG_RXGK configuration option, which provides RxGK security support for the Andrew File System (AFS). This primarily impacts distributions that closely track the latest upstream kernel versions, such as Fedora, Arch Linux, and openSUSE Tumbleweed. The exploit has so far only been tested against Fedora and the mainline kernel.
DirtyDecrypt belongs to the same vulnerability class as other recently disclosed root escalation flaws such as Dirty Frag, Fragnesia, and Copy Fail. Linux users on potentially affected distributions should install kernel updates immediately. As a temporary mitigation, the same measures as those for Dirty Frag can be applied, though this will impact IPsec VPNs and AFS network file systems.
Particularly concerning is the active exploitation of the Copy Fail vulnerability by attackers in the wild. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged federal agencies to secure their Linux systems by May 15.