DirtyDecrypt PoC Exploit Released for Linux Kernel CVE-2026-31635

By /
linux dirtydecrypt

A newly released proof-of-concept (PoC) exploit for the Linux kernel vulnerability CVE-2026-31635, also known as DirtyDecrypt or DirtyCBC, has raised serious concerns in the cybersecurity community. The flaw allows local privilege escalation (LPE), enabling attackers with limited access to gain root privileges on vulnerable Linux systems.

Security researchers warn that the vulnerability could be abused to modify sensitive files, escape containers, and compromise enterprise servers running affected Linux distributions.

DirtyDecrypt is a Linux kernel security vulnerability discovered by researchers from Zellic and the V12 security team. The issue was reported on May 9, 2026, but maintainers later confirmed it was a duplicate of an already patched vulnerability in the Linux kernel mainline.

The vulnerability exists because of a missing copy-on-write (COW) protection mechanism inside the rxgk_decrypt_skb() function. This function is responsible for decrypting incoming socket buffer data in the Linux kernel networking subsystem.

According to the researchers, the missing COW guard allows data written during the decryption process to leak into shared memory pages. As a result, attackers may overwrite data belonging to privileged processes or modify the page cache of sensitive system files.

This opens the door for attackers to tamper with important files such as:

  • /etc/shadow
  • /etc/sudoers
  • SUID binaries

By exploiting the flaw successfully, attackers can escalate privileges and obtain full root access on the affected system.

Linux normally uses a security mechanism called copy-on-write to protect shared memory pages. When multiple processes share the same memory page, Linux creates a private copy before any write operation occurs.

However, in DirtyDecrypt, this protection is missing in the rxgk_decrypt_skb() code path.

Cybersecurity researcher Moselwal explained that the flaw allows unauthorized writes to shared memory pages without triggering the normal isolation process. This means attackers can inject malicious changes into privileged files directly through the kernel page cache.

Because the exploit operates at the kernel level, traditional security controls may fail to detect the attack.

The vulnerability only impacts Linux systems where CONFIG_RXGK is enabled. Several popular Linux distributions are affected, including:

  • Fedora
  • Arch Linux
  • openSUSE Tumbleweed

Researchers also warned that containerized environments may face additional risks. Vulnerable worker nodes in Kubernetes or container platforms could potentially allow attackers to escape containers and compromise the host system.

Security experts believe DirtyDecrypt is part of a growing family of Linux kernel privilege escalation vulnerabilities discovered in recent months.

The flaw has been linked to:

  • Copy Fail (CVE-2026-31431)
  • Dirty Frag (CVE-2026-43284)
  • CVE-2026-43500
  • Fragnesia (CVE-2026-46300)

All of these vulnerabilities abuse weaknesses in Linux memory handling and page cache protections to achieve root-level access.

Copy Fail was first disclosed by researchers at Theori in April 2026. The flaw targeted the AF_ALG cryptographic socket interface in Linux.

Shortly after, researchers uncovered Dirty Frag, which expanded the attack surface with additional page-cache write techniques.

The public disclosure of Dirty Frag happened earlier than planned after a Linux kernel patch accidentally exposed details of the vulnerability before the embargo period ended.

A researcher using the aliases “0xdeadbeefnetwork” and “afflicted.sh” analyzed the upstream commit and quickly developed a working PoC exploit.

This incident highlights a growing issue in open-source security where public patches can unintentionally help attackers weaponize vulnerabilities before administrators have time to apply fixes.

digital

Another related Linux kernel vulnerability, Fragnesia (CVE-2026-46300), impacts the XFRM ESP-in-TCP subsystem.

Like DirtyDecrypt, Fragnesia allows attackers to modify read-only file contents in the kernel page cache. This can lead to privilege escalation and complete system compromise.

Security researchers warn that the increasing number of page-cache-related vulnerabilities suggests a broader security challenge within certain Linux kernel networking components.

The disclosure of DirtyDecrypt comes alongside several other serious Linux security flaws.

One notable issue is Pack2TheRoot (CVE-2026-41651), a privilege escalation vulnerability affecting the Linux PackageKit daemon. The flaw carries a CVSS score of 8.8, making it highly severe.

Another issue, known as ssh-keysign-pwn (CVE-2026-46333), allows unprivileged users to access root-owned secrets such as SSH private keys.

Several Linux vendors have already released security advisories and patches for CVE-2026-46333, including:

  • AlmaLinux
  • Amazon Linux
  • CloudLinux
  • Fedora
  • Gentoo
  • Red Hat
  • SUSE
  • Ubuntu

The rapid rise in Linux kernel zero-day vulnerabilities has prompted developers to discuss a new emergency mitigation feature called “Killswitch.”

The proposal was introduced by Linux kernel maintainer Sasha Levin.

The feature would allow administrators to temporarily disable vulnerable kernel functions at runtime until official security patches become available.

According to the proposal, administrators could force a selected kernel function to return a fixed value instead of executing its code. This temporary mitigation could help reduce the risk of exploitation during active attacks.

While the feature is still under discussion, many security professionals see it as an important step toward improving Linux zero-day response capabilities.

Meanwhile, Rocky Linux has launched a new optional security repository designed to deliver urgent patches faster during critical vulnerability events.

The repository is disabled by default and is intended for emergency situations where exploit code becomes public before upstream fixes are fully released.

Rocky Linux maintainers explained that the repository focuses only on high-risk scenarios involving publicly known vulnerabilities with active exploitation risks.

The move reflects growing pressure on Linux distributions to respond faster to rapidly weaponized kernel vulnerabilities.

The release of a public PoC exploit for DirtyDecrypt significantly increases the risk of real-world attacks. Threat actors can now study and adapt the exploit to target vulnerable Linux systems.

Organizations running Linux servers, cloud workloads, Kubernetes environments, or developer workstations should immediately review kernel versions and apply available patches.

Security teams should also:

  • Monitor for unusual privilege escalation attempts
  • Restrict local user access where possible
  • Update vulnerable Linux kernels immediately
  • Review container isolation protections
  • Track new advisories from Linux vendors

With Linux kernel vulnerabilities increasingly becoming targets for rapid exploitation, proactive patch management and runtime security monitoring are more important than ever.

Follow us on Twitter and Linkedin for real time updates and exclusive content.

Interesting Article : PraisonAI CVE-2026-44338 Exposes AI Agent Workflows

Scroll to Top