top of page

DirtyDecrypt: PoC Exploit Released for Linux Kernel LPE Vulnerability

  • May 20
  • 3 min read

Key Findings


  • DirtyDecrypt (CVE-2026-31635, CVSS 7.5) is a Linux kernel local privilege escalation vulnerability with working proof-of-concept code now publicly available on GitHub

  • The flaw stems from a missing copy-on-write guard in the rxgk_decrypt_skb() function, allowing attackers to write data directly to privileged process memory or sensitive files like /etc/shadow and /etc/sudoers

  • Only distributions with CONFIG_RXGK enabled are affected, including Fedora, Arch Linux, and openSUSE Tumbleweed; standard Ubuntu and Debian installations are not vulnerable

  • DirtyDecrypt is part of a family of related page cache write vulnerabilities discovered in recent weeks, including Copy Fail, Dirty Frag, and Fragnesia

  • Container environments face heightened risk, as compromised worker nodes could enable pod escape attacks

  • Patches are already available in mainline kernel, and major Linux distributions have released advisories


Background


DirtyDecrypt emerged from research by the Zellic and V12 security teams, who discovered and reported the vulnerability on May 9, 2026. Kernel maintainers initially dismissed it as a duplicate of an already-patched upstream issue, which is why no direct CVE was assigned to the original report. However, the National Vulnerability Database linked the publicly available proof-of-concept to CVE-2026-31635, establishing the connection. The researchers decided to release the exploit code publicly since patches were already merged into the mainline kernel.


Technical Details


The vulnerability exists in rxgk_decrypt_skb(), a function responsible for decrypting incoming socket buffers in the rxgk subsystem. Linux normally protects shared memory pages using copy-on-write mechanisms, which create private copies before any write operations occur, preventing data from bleeding between processes. In rxgk_decrypt_skb(), this guard is completely absent.


When decryption writes occur, they bypass this protection and go directly to shared page-cache pages. An attacker can exploit this to write data into memory belonging to privileged processes or directly into the page cache of sensitive system files. Depending on the exploit path, attackers could modify /etc/shadow, /etc/sudoers, or SUID binaries, ultimately achieving root-level access.


Affected Systems


DirtyDecrypt does not impact all Linux installations. The vulnerability only surfaces on distributions that compile their kernel with CONFIG_RXGK enabled. This includes Fedora, Arch Linux, and openSUSE Tumbleweed. Standard Ubuntu and Debian installations use different configurations and remain unaffected.


A notable concern exists for containerized environments. In Kubernetes deployments, a vulnerable worker node running an affected distribution could provide a pathway for pod escape, transforming a local privilege escalation into a much more serious container breakout scenario.


Related Vulnerabilities


DirtyDecrypt is part of a broader cluster of related flaws that all exploit the same underlying page cache write primitive. Copy Fail (CVE-2026-31431) was disclosed first on April 29 by Theori researchers, targeting the AF_ALG cryptographic socket interface. Dirty Frag (CVE-2026-43284 and CVE-2026-43500) followed a week later, extending the attack class with two separate page cache write primitives.


The disclosure of Dirty Frag encountered complications when an agreed embargo collapsed after patches were merged into the public repository on May 5. An independent researcher, unaware of the embargo, analyzed the commits and published details, accelerating the timeline significantly. Fragnesia (CVE-2026-46300) rounded out the family by bringing the same attack methodology to the XFRM ESP-in-TCP subsystem.


Broader Security Landscape


These vulnerabilities arrived amid an already eventful period for Linux security. Pack2TheRoot (CVE-2026-41651, CVSS 8.8) is a local privilege escalation flaw in the PackageKit daemon used across multiple distributions. Additionally, ssh-keysign-pwn (CVE-2026-46333, CVSS 5.5) represents an improper privilege management issue allowing unprivileged users to read root-owned SSH private keys.


While ssh-keysign-pwn is not remotely exploitable on its own, it becomes dangerous in multi-user environments or partially compromised systems where it can serve as a critical component of a larger attack chain. Major distributions including AlmaLinux, Amazon Linux, CloudLinux, Fedora, Gentoo, Red Hat, SUSE, and Ubuntu have already released patches and advisories.


Recommendations


System administrators managing Linux infrastructure should immediately determine whether their systems have CONFIG_RXGK enabled. Those running affected distributions like Fedora, Arch Linux, or openSUSE Tumbleweed should prioritize applying available patches. Organizations operating Kubernetes clusters should particularly scrutinize their worker node configurations to prevent potential pod escape scenarios.


Sources


  • https://securityaffairs.com/192436/uncategorized/dirtydecrypt-poc-released-for-yet-another-linux-flaw.html

  • https://thehackernews.com/2026/05/dirtydecrypt-poc-released-for-linux.html

  • https://gbhackers.com/poc-exploit-dirtydecrypt-linux-kernel-vulnerability/

  • https://www.securityweek.com/poc-released-for-dirtydecrypt-linux-kernel-vulnerability/

  • https://www.bleepingcomputer.com/news/security/exploit-available-for-new-dirtydecrypt-linux-root-escalation-flaw/amp/

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page