Back

New DirtyDecrypt Linux Flaw Exploit Released, Patching Urged

Severity: High (Score: 72.0)

Sources: nvd.nist.gov, Bleepingcomputer, Securityaffairs.Co, Cybersecuritynews, github.com

Published: 2026-05-18 · Updated: 2026-05-20

Keywords: linux, exploit, root, escalation, available, dirtydecrypt, flaw

Severity indicators: exploit available, flaw, ot

Summary

A local privilege escalation vulnerability in the Linux kernel's rxgk module, named DirtyDecrypt, has been discovered and a proof-of-concept exploit is now available. The V12 security team reported this flaw on May 9, 2026, but it was identified as a duplicate of CVE-2026-31635, which was patched on April 25. Successful exploitation requires the CONFIG_RXGK option enabled, affecting distributions like Fedora, Arch Linux, and openSUSE Tumbleweed. Users are advised to update their kernels immediately, as the exploit poses significant risks. The vulnerability is part of a series of recent root escalation flaws, including Dirty Frag and Copy Fail, which are actively being exploited. The Cybersecurity and Infrastructure Security Agency (CISA) has warned federal agencies to secure their Linux devices promptly. Key Points: • DirtyDecrypt is a local privilege escalation vulnerability in the Linux kernel's rxgk module. • A proof-of-concept exploit has been released, affecting distributions like Fedora and Arch Linux. • Users are urged to patch their systems immediately to mitigate risks from this vulnerability.

Detailed Analysis

**Impact** Linux systems running kernels with the CONFIG_RXGK option enabled are affected, primarily impacting distributions that track the latest upstream releases such as Fedora, Arch Linux, and openSUSE Tumbleweed. The vulnerability allows local attackers to escalate privileges to root, potentially compromising system integrity and sensitive data. This affects organizations using these Linux distributions, including federal agencies in the U.S., which face increased risk due to similar recent exploits actively targeted in the wild. **Technical Details** The vulnerability, tracked as CVE-2026-31635, is a local privilege escalation in the Linux kernel’s rxgk module caused by a missing copy-on-write (COW) guard in the rxgk_decrypt_skb function. Exploitation requires local access and the CONFIG_RXGK kernel configuration, limiting the attack surface. The proof-of-concept exploit was developed by the V12 security team and tested on Fedora and mainline kernels. This flaw is part of a class of recent root escalation bugs including Dirty Frag, Fragnesia, and Copy Fail, with active exploitation reported for Copy Fail. **Recommended Response** Apply the latest Linux kernel updates released after April 25, 2026, to patch CVE-2026-31635 immediately. For systems that cannot be patched promptly, implement the mitigation used for Dirty Frag, noting this may disrupt IPsec VPNs and AFS file systems. Monitor for local privilege escalation attempts and review kernel configurations to verify the presence of CONFIG_RXGK. No specific IOCs are provided in the source articles.

Source articles (8)

  • Exploit available for new DirtyDecrypt Linux root escalation flaw — Bleepingcomputer · 2026-05-18
    A recently patched local privilege escalation vulnerability in the Linux kernel's rxgk module now has a proof-of-concept exploit that allows attackers to gain root access on some Linux systems. Named…
  • Exploit available for new DirtyDecrypt Linux root escalation flaw — Bleepingcomputer · 2026-05-18
    A recently patched local privilege escalation vulnerability in the Linux kernel's rxgk module now has a proof-of-concept exploit that allows attackers to gain root access on some Linux systems. Named…
  • Rxrpc — docs.kernel.org · 2026-05-18
    The RxRPC protocol driver provides a reliable two-phase transport on top of UDP that can be used to perform RxRPC remote operations. This is done over sockets of AF_RXRPC family, using sendmsg() and r…
  • CVE-2026-31635 — nvd.nist.gov · 2026-05-18
    In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix oversized RESPONSE authenticator length check rxgk_verify_response() decodes auth_len from the packet and is supposed to…
  • Dirtydecrypt — github.com · 2026-05-18
  • DirtyDecrypt: PoC Released for yet another Linux flaw — Securityaffairs.Co · 2026-05-20
    DirtyDecrypt (CVE-2026-31635): working PoC out for a Linux kernel LPE flaw. Missing COW guard in rxgk_decrypt_skb lets local attackers reach root. After Copy Fail, Dirty Frag, and Fragnesia, here come…
  • PoC Exploit Released for DirtyDecrypt Linux Kernel Vulnerability — Gbhackers · 2026-05-20
    PoC exploit code for the DirtyDecrypt (DirtyCBC) Linux kernel vulnerability has been released publicly, turning a previously theoretical local privilege escalation into a practical, copy‑paste exploit…
  • DirtyDecrypt Linux Kernel Vulnerability PoC Exploit Code Released — Cybersecuritynews · 2026-05-19
    A working proof-of-concept (PoC) exploit for a high-severity Linux kernel local privilege escalation vulnerability dubbed DirtyDecrypt, also tracked as DirtyCBC, enables local attackers to gain full r…

Timeline

  • 2026-04-24 — CVE-2026-31635 published: CVE-2026-31635, related to the DirtyDecrypt flaw, was published and patched on April 25.
  • 2026-05-01 — CISA adds Copy Fail to exploited vulnerabilities list: CISA confirmed that the Copy Fail vulnerability is being actively exploited and ordered federal agencies to secure Linux devices.
  • 2026-05-09 — V12 reports DirtyDecrypt vulnerability: The V12 security team reported the DirtyDecrypt flaw, which was later identified as a duplicate of an already patched vulnerability.
  • 2026-05-15 — Deadline for federal agencies to secure devices: CISA mandated that federal agencies secure their Linux devices against the Copy Fail vulnerability by this date.
  • 2026-05-18 — Exploit for DirtyDecrypt made public: A proof-of-concept exploit for the DirtyDecrypt vulnerability was released, prompting urgent patching recommendations.

CVEs

  • CVE-2026-31635

Related entities

  • Privilege Escalation (Attack Type)
  • Zero-day Exploit (Attack Type)
  • Cybersecurity and Infrastructure Security Agency (Company)
  • Fedora (Company)
  • OpenSUSE (Company)
  • Cwe-125 - Out-of-bounds Read (Cwe)
  • CWE-269 - Improper Privilege Management (Cwe)
  • Af_rxrpc (Platform)
  • Andrew File System (Platform)
  • Arch Linux (Platform)
  • IPv4 (Platform)
  • IPv6 (Platform)
  • Linux (Platform)
  • OpenSUSE Tumbleweed (Platform)
  • RxRPC (Platform)
  • SunRPC (Platform)
  • UDP (Platform)
  • XDR (Platform)
  • Copy Fail (Vulnerability)
  • DirtyCBC (Vulnerability)
  • DirtyDecrypt (Vulnerability)
  • Dirty Frag (Vulnerability)
  • Fragnesia (Vulnerability)
  • Pack2TheRoot (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed