CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

DirtyDecrypt Linux kernel root escalation exploit public availability

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A proof-of-concept exploit for DirtyDecrypt (DirtyCBC), a Linux kernel local privilege escalation vulnerability, has been publicly released, enabling attackers to achieve root access on systems running vulnerable kernels. The flaw stems from a missing copy-on-write (COW) guard in the rxgk module’s rxgk_decrypt_skb function, leading to a pagecache write vulnerability. Exploitation requires the CONFIG_RXGK kernel configuration option, limiting affected systems to distributions closely tracking upstream kernels such as Fedora, Arch Linux, and openSUSE Tumbleweed. The vulnerability joins a growing class of recent Linux root-escalation flaws, including Dirty Frag, Fragnesia, and Copy Fail, and follows active exploitation of Copy Fail in the wild.

Timeline

  1. 18.05.2026 10:18 1 articles · 20h ago

    DirtyDecrypt exploit public release and Linux kernel patch alignment identified

    A proof-of-concept exploit for DirtyDecrypt (DirtyCBC) was publicly released on May 18, 2026, enabling local privilege escalation to root on Linux systems with CONFIG_RXGK enabled. The vulnerability’s technical details align with CVE-2026-31635, which was patched in the mainline kernel on April 25, 2026. Exploitation has been demonstrated against Fedora and mainline kernels, with mitigations requiring module disabling and cache clearing that may impact IPsec VPNs and AFS functionality.

    Show sources
    Open in new tab

Information Snippets

  • DirtyDecrypt is a local privilege escalation flaw in the Linux kernel’s rxgk module, enabling attackers to gain root access on vulnerable systems.

    First reported: 18.05.2026 10:18
    1 source, 1 article
    Show sources

  • The vulnerability arises from a missing copy-on-write (COW) guard in rxgk_decrypt_skb, resulting in a pagecache write condition.

    First reported: 18.05.2026 10:18
    1 source, 1 article
    Show sources

  • A proof-of-concept exploit has been publicly released, demonstrating practical exploitation against Fedora and mainline Linux kernels.

    First reported: 18.05.2026 10:18
    1 source, 1 article
    Show sources

  • Exploitation requires the CONFIG_RXGK kernel configuration option, which enables RxGK security support for the Andrew File System (AFS) client and network transport.

    First reported: 18.05.2026 10:18
    1 source, 1 article
    Show sources

  • Affected Linux distributions include Fedora, Arch Linux, and openSUSE Tumbleweed, which closely follow upstream kernel releases.

    First reported: 18.05.2026 10:18
    1 source, 1 article
    Show sources

  • The vulnerability aligns with technical details of CVE-2026-31635, patched on April 25, though no official CVE ID has been assigned to DirtyDecrypt.

    First reported: 18.05.2026 10:18
    1 source, 1 article
    Show sources

  • Mitigation involves disabling specific kernel modules (esp4, esp6, rxrpc) and clearing page caches, though this may disrupt IPsec VPNs and AFS distributed networks.

    First reported: 18.05.2026 10:18
    1 source, 1 article
    Show sources