Exploit Available for New DirtyDecrypt Linux Root Escalation Flaw
A proof-of-concept exploit has been released for CVE-2026-1234, a local privilege escalation vulnerability in the Linux kernel's rxgk module that allows unprivileged attackers to gain root access.
A proof-of-concept exploit has been released for a newly disclosed local privilege escalation vulnerability in the Linux kernel, tracked as CVE-2026-1234 and dubbed DirtyDecrypt. The flaw resides in the kernel's rxgk module and allows an unprivileged attacker to gain full root access on affected systems. The exploit was published on GitHub by security researcher blasty, who demonstrated the attack on a default Ubuntu 24.04 installation running an unpatched kernel.
The vulnerability stems from a use-after-free bug in the rxgk module, which handles cryptographic operations for the kernel's RxRPC protocol. By triggering a race condition, an attacker can corrupt kernel memory and elevate privileges. The exploit privileges. The exploit leverages a technique similar to previous Dirty COW attacks, but targets a different kernel subsystem. The researcher noted that the exploit works reliably on systems with multiple CPU cores.
DirtyDecrypt affects Linux kernel versions prior to the fix, which was included in the 6.8.12, 6.9.3, and 6.10-rc1 releases. Major distributions including Ubuntu, Debian, Fedora, and RHEL have backported the patch to their supported kernels. However, many enterprise and embedded systems remain unpatched, particularly those running long-term support kernels that have not yet received the update.
The vulnerability was initially reported to the Linux kernel security team in April 2026 and patched in early May. The public release of the exploit now increases the urgency for administrators to apply updates. While the attack requires local access, it to have local access to the target system, it can be combined with other vulnerabilities or deployed via malware that has already achieved limited user access.
CISA has not yet added CVE-2026-1234 to its Known Exploited Vulnerabilities catalog, but the availability of a working exploit makes it a prime candidate for inclusion. Security firms are already reporting increased scanning activity targeting the flaw, though no widespread exploitation has been confirmed. The exploit's release also highlights the ongoing challenge of securing the Linux kernel against privilege escalation bugs, which remain a favored vector for attackers seeking full system control.
Administrators are strongly advised to apply the latest kernel updates from their distribution vendor and to restrict local access to trusted users. For systems that cannot be immediately patched, security modules such as SELinux or AppArmor can provide partial mitigation by limiting the capabilities available to unprivileged processes. The DirtyDecrypt exploit serves as a reminder that even well-audited codebases like the Linux kernel can harbor critical vulnerabilities that require prompt attention.