PoC Released for DirtyDecrypt Linux Kernel Vulnerability
A proof-of-concept exploit for DirtyDecrypt, a Linux kernel privilege escalation flaw in the RxGK subsystem, has been publicly released, affecting distributions like Arch Linux, Fedora, and openSUSE.
A proof-of-concept (PoC) exploit has been publicly released for a Linux kernel vulnerability dubbed 'DirtyDecrypt' (also called DirtyCBC), which allows unprivileged local attackers to escalate privileges to root. The exploit was developed by the V12 security team, which discovered the flaw earlier this month after patches were already rolled out in April 2026. The vulnerability affects the kernel's keyring subsystem, specifically the rxgk_decrypt_skb component of the RxGK security class, which is used by the RxRPC network protocol for the Andrew File System (AFS) and OpenAFS.
The core issue is a missing copy-on-write (COW) guard in the RxGK subsystem. According to the V12 team, oversized response authenticators are accepted, allowing data to be written to the memory of privileged processes or to the page cache of privileged files, such as SUID binaries. This enables an attacker to modify sensitive system files and gain root-level access. Security researcher Moselwal noted that the flaw is a variant of recently identified Linux kernel bugs like CopyFail, DirtyFrag, and Fragnesia, all of which grant root access on vulnerable systems.
While the V12 team has not assigned a CVE identifier for DirtyDecrypt, Tharros Labs senior principal vulnerability analyst Will Dormann pointed out that the underlying issue could be CVE-2026-31635, a Linux kernel vulnerability disclosed on April 24 with a CVSS score of 7.5. Patches for this CVE were rolled out for mainline Linux builds at that time. The exploit only affects distributions that have CONFIG_RXGK compiled in and enabled, such as Arch Linux, Fedora, and openSUSE. In container platforms, all worker nodes running a vulnerable distribution could provide attackers with a path to escape the pod, Moselwal warned.
The release of the DirtyDecrypt PoC follows a series of high-profile Linux kernel privilege escalation vulnerabilities disclosed in recent weeks. Fragnesia (CVE-2026-46300), disclosed last week, affects the XFRM ESP-in-TCP subsystem and allows attackers to overwrite sensitive system files to gain root privileges. Dirty Frag, published earlier this month, chains two vulnerabilities in the Linux kernel, including one affecting the RxRPC component, to elevate privileges to root. Copy Fail, disclosed in late April, enables an attacker to modify in-memory copies of setuid-root binaries, providing root shell access, and threat actors started exploiting it shortly after disclosure.
Administrators are urged to ensure their systems are updated with the April security patch to mitigate exploitation risk. The DirtyDecrypt vulnerability underscores the ongoing challenge of securing the Linux kernel against local privilege escalation attacks, particularly as researchers continue to uncover variants of the same underlying class of bugs. The availability of a public PoC increases the likelihood of exploitation, making it critical for affected organizations to prioritize patching.
The article adds context that DirtyDecrypt is a variant of the Copy Fail (CVE-2026-31431), Dirty Frag (CVE-2026-43284, CVE-2026-43500), and Fragnesia (CVE-2026-46300) families of Linux kernel LPE bugs, all of which grant root access. It also reports that the disclosure of Dirty Frag was forced after a merged patch led an independent researcher to analyze and publish details of the defect, and that the flurry of disclosures has prompted a proposal for an emergency kernel "killswitch" to disable vulnerable functions at runtime.