DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability
نشر كود Proof-of-Concept لثغرة CVE-2026-31635 لتصعيد الصلاحيات فـ Linux Kernel
Proof-of-Concept Released for Linux Kernel CVE-2026-31635 Local Privilege Escalation
TL;DR Exploit code for CVE-2026-31635, a local privilege escalation flaw in the Linux kernel's rxgk subsystem, is now public. The vulnerability stems from a missing copy-on-write guard that allows unprivileged attackers to write to memory of privileged processes or sensitive files like /etc/shadow and /etc/sudoers. Only distributions with CONFIG_RXGK enabled—including Fedora, Arch Linux, and openSUSE Tumbleweed—are affected. The CVSS score is 7.5.
What happened
On May 9, 2026, security researchers at Zellic and V12 reported a local privilege escalation vulnerability in the Linux kernel's rxgk subsystem. The researchers were informed that the flaw had already been patched upstream, but proof-of-concept code has since been released publicly.
The vulnerability, dubbed DirtyDecrypt (also known as DirtyCBC), resides in the rxgk_decrypt_skb() function, which decrypts incoming socket buffers on the receive side. According to Zellic co-founder Luna Tong, the fault is "a rxgk pagecache write due to missing COW [copy-on-write] guard in rxgk_decrypt_skb."
Linux implements copy-on-write protection to prevent writes to shared memory pages from affecting other processes' data. When a write to a shared page occurs, the kernel creates a private copy first. The absence of this COW guard in rxgk_decrypt_skb() means that data written during decryption bleeds into memory regions that should be protected.
An attacker can exploit this to write data to the memory of privileged processes or to the page cache of privileged files such as /etc/shadow, /etc/sudoers, or SUID binaries—all potential vectors to local privilege escalation.
DirtyDecrypt is part of a broader family of related vulnerabilities affecting copy-on-write mechanisms. Zellic assesses it as a variant of Copy Fail (CVE-2026-31431), Dirty Frag (CVE-2026-43284 and CVE-2026-43500), and Fragnesia (CVE-2026-46300). Copy Fail was disclosed by Theori researchers on April 29, 2026, targeting the AF_ALG cryptographic socket interface. Dirty Frag followed a week later and expands the attack surface with two page-cache write primitives. Fragnesia targets the XFRM ESP-in-TCP subsystem.
The timeline of disclosures accelerated when a patch for CVE-2026-43284 merged on May 5, 2026. An embargo on Dirty Frag details ended prematurely after the merged patch was analyzed by a researcher unaware of the coordinated disclosure window, leading to independent public disclosure of the defect.
Why it matters
For system administrators and developers, DirtyDecrypt represents a direct path to root access on vulnerable systems. An unprivileged local user can gain full kernel-level privileges, bypassing standard access controls.
In containerized environments, the risk extends beyond the individual host. A worker node running a vulnerable Linux kernel could allow an attacker to escape a pod and compromise the underlying infrastructure.
The convergence of multiple related copy-on-write vulnerabilities within weeks signals a systemic weakness in kernel memory management that attackers are actively exploiting. The public availability of PoC code lowers the barrier to weaponization.
Affected systems and CVEs
-
Linux kernel (distributions with CONFIG_RXGK enabled: Fedora, Arch Linux, openSUSE Tumbleweed, AlmaLinux, Amazon Linux, CloudLinux, Gentoo, Red Hat, SUSE, Ubuntu, Rocky Linux)
- CVE-2026-31635 (CVSS 7.5)
- CVE-2026-31431 (Copy Fail)
- CVE-2026-43284 (Dirty Frag)
- CVE-2026-43500 (Dirty Frag variant)
- CVE-2026-46300 (Fragnesia)
-
Linux PackageKit daemon
- CVE-2026-41651 (Pack2TheRoot, CVSS 8.8)
-
Linux kernel (privilege management)
- CVE-2026-46333 (ssh-keysign-pwn, CVSS 5.5)
What to do
- Disable CONFIG_RXGK on affected distributions if the rxgk subsystem is not required for your deployment.
- Apply kernel updates for CVE-2026-31635 and related variants (CVE-2026-31431, CVE-2026-43284, CVE-2026-43500, CVE-2026-46300) as they become available from your distribution.
- If running AlmaLinux, Amazon Linux, CloudLinux, Fedora, Gentoo, Red Hat, SUSE, or Ubuntu, check for advisories specific to CVE-2026-46333 and apply patches.
- If running Rocky Linux, opt into the optional security repository to receive accelerated fixes for severe vulnerabilities pending upstream patches.
- In containerized environments, prioritize patching worker nodes to prevent pod escape.
Open questions
- Whether CVE-2026-31635 was formally assigned by MITRE or inferred from the NVD record is not explicitly stated in available sources.
- Timeline for patch availability remains unclear across all affected distributions; the advisory does not specify deployment dates.
- The kernel killswitch proposal submitted by Sasha Levin has been reviewed by developers, but the source does not confirm whether it has been accepted or implemented.
- The extent of active in-the-wild exploitation is not documented.
Source
DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability
Comments (0)
Comments load when you reach this section.