GoKawiilA recently patched local privilege escalation vulnerability in the Linux kernel's rxgk module now has a proof-of-concept exploit that allows attackers to gain root access on some Linux systems.
Named DirtyDecrypt and also known as DirtyCBC, this security flaw was also autonomously found and reported by the V12 security team earlier this month, when the maintainers informed them that it was a duplicate that had already been patched in the mainline.
"We found and reported this on May 9, 2026, but was informed it was a duplicate by the maintainers," V12 said. "It's a rxgk pagecache write due to missing COW guard in rxgk_decrypt_skb. See poc.c for more details."
While there is no official CVE ID associated with this security flaw, according to Will Dormann (principal vulnerability analyst at Tharros), the information from the security researchers aligns with the details of CVE-2026-31635, which was patched on April 25.
Successful exploitation requires running a Linux kernel with the CONFIG_RXGK configuration option, which enables RxGK security support for the Andrew File System (AFS) client and network transport.
This limits the attack surface to Linux distributions that closely follow the latest upstream kernel releases, including Fedora, Arch Linux, and openSUSE Tumbleweed. However, V12's proof-of-concept exploit has only been tested against Fedora and the mainline Linux kernel.
DirtyDecrypt exploit Fedora test (Will Dormann)
DirtyDecrypt belongs to the same vulnerability class as several other root-escalation flaws disclosed in recent weeks, including Dirty Frag, Fragnesia, and Copy Fail.
Linux users on distros potentially affected by DirtyDecrypt are advised to install the latest kernel updates as soon as possible.
However, those who can't immediately patch their devices should use the same mitigation used for Dirty Frag (however, this will also break IPsec VPNs and AFS distributed network file systems):
... continue reading