CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

DirtyDecrypt Linux kernel root escalation exploit public availability

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

DirtyDecrypt (CVE-2026-31635), a Linux kernel local privilege escalation vulnerability, has seen its proof-of-concept exploit publicly released, enabling attackers to gain root access on systems with CONFIG_RXGK enabled. The flaw stems from a missing copy-on-write (COW) guard in the rxgk module’s rxgk_decrypt_skb function, allowing writes to privileged memory pages or sensitive file caches such as /etc/shadow or /etc/sudoers. Discovered by Zellic and V12 on May 9, 2026, the vulnerability was later found to duplicate a flaw already patched in the mainline kernel on April 25, 2026. DirtyDecrypt is part of a broader wave of recent Linux root-escalation flaws, including Copy Fail, Dirty Frag, and Fragnesia, all of which leverage pagecache write primitives. The disclosure follows an embargo breach that accelerated public release of related techniques, while new mitigation strategies like a runtime kernel killswitch and Rocky Linux’s optional security repository are being explored to address the rapid exploitation of such vulnerabilities.

Timeline

  1. 18.05.2026 10:18 2 articles · 2d ago

    DirtyDecrypt exploit public release and Linux kernel patch alignment identified

    The proof-of-concept exploit for DirtyDecrypt (CVE-2026-31635) was publicly released on May 19, 2026, confirming practical exploitation paths against systems with CONFIG_RXGK enabled. The vulnerability arises from a missing copy-on-write guard in rxgk_decrypt_skb, enabling writes to privileged memory pages or sensitive file caches such as /etc/shadow or /etc/sudoers. Discovered by Zellic and V12 on May 9, 2026, the flaw was later identified as a duplicate of CVE-2026-31635, which had been patched in the mainline kernel on April 25, 2026. DirtyDecrypt is classified as a variant of Copy Fail (CVE-2026-31431), Dirty Frag (CVE-2026-43284, CVE-2026-43500), and Fragnesia (CVE-2026-46300), all enabling root access on vulnerable systems. The disclosure occurred amid an embargo breach on May 5, 2026, which led to independent public disclosure of related techniques.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Fragnesia Linux Kernel LPE via XFRM ESP-in-TCP Page Cache Corruption

Fragnesia (CVE-2026-46300, CVSS 7.8) is a Linux kernel local privilege escalation vulnerability in the XFRM ESP-in-TCP subsystem that enables unprivileged local attackers to corrupt kernel page cache and gain root access. The flaw was discovered by William Bowling of Zellic and the V12 team, with a proof-of-concept exploit published on May 13, 2026. It operates by feeding file contents into a TCP socket, enabling ESP-in-TCP encryption to overwrite page cache memory (including /usr/bin/su) with AES-GCM keystreams, leaving no forensic trace on disk. The vulnerability emerged as an unintended side effect of a patch addressing the Dirty Frag vulnerabilities and affects all Linux kernels prior to disclosure. A candidate upstream fix was submitted to the netdev mailing list on May 13 but remains unmerged, while multiple distributions have issued backported patches. Mitigation strategies include disabling esp4, esp6, and rxrpc modules (which also cover Dirty Frag), restricting unprivileged user namespaces, and monitoring for suspicious XFRM or namespace activity. No in-the-wild exploitation has been observed, but the public PoC and historical context heighten urgency for patching.

Open in new tab

Linux Kernel Dirty Frag LPE Vulnerability Chain Enables Root Access

A local privilege escalation (LPE) vulnerability chain in the Linux kernel, dubbed Dirty Frag, has been publicly disclosed following a broken embargo. The flaw combines CVE-2026-43284 (xfrm-ESP write-what-where, CVSS 8.8) and CVE-2026-43500 (RxRPC out-of-bounds write, CVSS 7.8) to grant unprivileged local users root access across major distributions. Discovery was independently reported by Hyunwoo Kim in late April 2026, with in-the-wild exploitation activity potentially linked to the technique. Distribution maintainers are now releasing patches, while temporary mitigations include disabling vulnerable kernel modules. The flaw bypasses prior mitigations such as Copy Fail and enables deterministic exploitation with high success rates.

Open in new tab

High-severity Linux kernel authencesn logic bug (CVE-2026-31431) enables local privilege escalation

A high-severity zero-day vulnerability in the Linux kernel, tracked as CVE-2026-31431 and nicknamed Copy Fail, has been disclosed after existing undetected since 2017. The flaw is a logic bug in the kernel’s authencesn cryptographic template that permits an unprivileged local user to perform a deterministic four-byte write into the page cache of any readable file on the system. Successful exploitation allows an attacker to escalate privileges to root on affected Linux distributions released since 2017, requiring only a local account and physical access to the target machine. The vulnerability affects multi-user shared systems, containerized environments (Kubernetes, Docker), and similar setups, enabling potential unauthorized access to other users’ data. It has been assigned a CVSS score of 7.8 (High severity). CISA added the flaw to its Known Exploited Vulnerabilities (KEV) Catalog on May 3, 2026, after threat actors began exploiting it in the wild following Theori’s public disclosure on April 29, 2026. A Python-based proof-of-concept exploit was released, demonstrating reliable root access across major distributions, and U.S. government agencies were ordered to patch within two weeks under BOD 22-01.

Open in new tab

Linux Kernel Local Privilege Escalation via Copy Fail (CVE-2026-31431)

Active exploitation of the Linux kernel local privilege escalation vulnerability (CVE-2026-31431) has begun, with threat actors targeting systems to gain root access. The flaw, dubbed "Copy Fail," stems from a logic bug in the kernel's authencesn cryptographic template and enables unprivileged local attackers to escalate privileges via a 4-byte write to the page cache of setuid-root binaries. Exploitation occurs entirely in memory, leaving no disk-based traces, and affects all major Linux distributions since 2017. A 10-line Python PoC achieves 100% reliability, and the flaw poses severe risks in containerized environments, enabling Kubernetes pod escapes and CI/CD pipeline compromises. Discovered in 2026 using AI-assisted analysis, the vulnerability was introduced in 2017 through a performance optimization that reused buffers in the crypto path. Upstream patches were released in kernel versions 6.18.22, 6.19.12, and 7.0, but inconsistent advisories across distributions have delayed widespread mitigation. Microsoft reports limited in-the-wild exploitation so far, primarily PoC testing, but warns of the flaw's broad applicability and potential for container breakouts, multi-tenant compromise, and lateral movement in shared environments. CISA added the flaw to its Known Exploited Vulnerabilities catalog on May 2, 2026, requiring federal agencies to patch within two weeks.

Open in new tab

Privilege escalation vulnerability in PackageKit (CVE-2026-41651) enables root access via PackageKit daemon

A local privilege escalation vulnerability in the PackageKit daemon, tracked as CVE-2026-41651, allows unauthenticated users to execute arbitrary package installation or removal commands, leading to full root access on affected Linux systems. The flaw has existed for approximately 12 years in PackageKit versions up to 1.3.4 and impacts default installations across multiple major Linux distributions. Deutsche Telekom’s Red Team discovered the issue through authentication bypass in command handling, particularly in 'pkcon install' operations on Fedora systems. No public exploit code or technical details have been released to facilitate patching. The flaw carries a CVSS score of 8.8 (Medium severity) due to its high impact on confidentiality, integrity, and availability.

Open in new tab