HoneyMex Lab Logo
HoneyMex Lab

CVE-2026-31635 'DirtyDecrypt': Linux Kernel Privilege Escalation Vulnerability and PoC Availability

DirtyDecrypt (CVE-2026-31635): Analysis of the Linux Kernel Privilege Escalation Vulnerability and Public Availability of its PoC

Publication date: May 19, 2026 CVE: CVE-2026-31635 | CVSS v3.1: 7.5 (HIGH)

Introduction

In May 2026, the security community was alerted to the public availability of a proof-of-concept (PoC) exploit for a local privilege escalation (LPE) vulnerability in the Linux kernel, dubbed DirtyDecrypt (also known as DirtyCBC). The flaw, formally identified as CVE-2026-31635 with a CVSS v3.1 score of 7.5, resides in the kernel’s rxgk module and was independently discovered by security teams V12 and Zellic, who reported it on May 9, 2026, only to be informed it had already been silently patched in the mainline tree on April 25, 2026. The release of the PoC turns this vulnerability into an active, concrete threat: any attacker with local access to a system running a distribution with the CONFIG_RXGK build option enabled — such as Fedora, Arch Linux, or openSUSE Tumbleweed — can escalate privileges to root on unpatched systems. The exploitation window, amplified by the availability of the public exploit, demands an immediate response from security operations teams and system administrators.

What is DirtyDecrypt?

DirtyDecrypt is an arbitrary write to the kernel page cache vulnerability, caused by the absence of a Copy-On-Write (COW) guard in the rxgk_decrypt_skb() function. Conceptually, the flaw allows an unprivileged user — that is, a process running under an ordinary UID — to write arbitrary data into the memory of privileged processes or into the page cache of critical system files, such as binaries with the SUID bit set, /etc/shadow, or /etc/sudoers.

The page cache is the memory region where the kernel temporarily stores the contents of filesystem files to speed up access. Normally, when a process attempts to modify a shared page, the COW mechanism creates a private copy before allowing the write, preventing the modification from propagating to the original. The absence of this check in the decryption flow of the RxGK subsystem is the central point of the vulnerability.

DirtyDecrypt is part of an emerging family of Linux kernel privilege escalation vulnerabilities sharing the same class of flaw: subtle weaknesses in memory management and the page cache. Its close relatives are Dirty Frag (CVE-2026-43284 / CVE-2026-43500), Fragnesia (CVE-2026-46300), and CopyFail, all capable of granting root access on vulnerable systems.

Context of the affected subsystem: RxGK is a security class for the RxRPC network protocol, used primarily by the Andrew File System (AFS) and OpenAFS. It relies on the GSSAPI framework to provide authentication, confidentiality, and integrity. Its presence in the kernel is conditional: it is only active if the system was compiled with CONFIG_RXGK.

How Does It Work?

The Root Flaw: Inverted Length Validation

The precise technical cause was documented in the CVE record and in Moselwal Digitalagentur’s analysis. The rxgk_verify_response() function decodes the auth_len field from an incoming network packet and should verify that this value does not exceed the size of the remaining payload. However, the comparison was inverted, causing oversized RESPONSE authenticators to be accepted and passed directly to rxgk_decrypt_skb().

# Call stack in the vulnerable kernel (extracted from the CVE-2026-31635 record):
RIP: __skb_to_sgvec()       [net/core/skbuff.c:5285]
     skb_to_sgvec()         [net/core/skbuff.c:5305]
     rxgk_decrypt_skb()     [net/rxrpc/rxgk_common.h:81]
     rxgk_verify_response() [net/rxrpc/rxgk.c:1268]
     rxrpc_process_connection()
     process_one_work()
     worker_thread()
     kthread()

Exploitation Flow

The PoC published by V12 follows this flow to achieve privilege escalation:

  1. Environment preparation: The attacker, with unprivileged local access, verifies that the system has CONFIG_RXGK compiled and active.
  2. Malicious packet construction: An RxRPC packet is crafted with an oversized auth_len field that exceeds the boundaries of the legitimate buffer.
  3. COW guard bypass: By passing the inverted validation in rxgk_verify_response(), the packet reaches rxgk_decrypt_skb() without the necessary integrity checks.
  4. Out-of-bounds write to the page cache: The decryption function operates on the socket buffer (sk_buff) with an impossible length, allowing attacker-controlled data to be written into privileged memory pages.
  5. Escalation to root: Depending on the exploitation path, the attacker can overwrite a SUID binary (such as /usr/bin/sudo), modify /etc/sudoers to add unrestricted permissions, or directly corrupt the memory of a privileged process, obtaining a shell with UID 0.

Exploitation Condition in Container Environments

On container platforms (Kubernetes, Docker), exploitation is especially severe: if a worker node runs a vulnerable distribution, an attacker who has compromised a pod could use DirtyDecrypt as a container escape primitive, compromising the entire underlying node.

Affected Systems

Exploitation of DirtyDecrypt requires the kernel to have been compiled with the CONFIG_RXGK option enabled. Distributions confirmed as vulnerable (on kernel versions prior to the April 25, 2026 patch) include:

Distribution Status Notes
Fedora (recent versions) Vulnerable (unpatched) CONFIG_RXGK enabled by default
Arch Linux Vulnerable (unpatched) Rolling release kernel
openSUSE Tumbleweed Vulnerable (unpatched) Rolling distribution
Debian / Ubuntu Generally not affected CONFIG_RXGK not enabled by default
Red Hat Enterprise Linux / CentOS Verify configuration Depends on kernel build
Custom kernels Verify configuration Any kernel with CONFIG_RXGK=y is potentially vulnerable

Recap

The publication of the exploit for DirtyDecrypt (CVE-2026-31635) is a stark reminder that proactive patch management is not an optional practice, but a fundamental pillar of the security posture in Linux environments and production servers. The gap between patch availability (April 25, 2026) and PoC publication (May 2026) represents a critical risk window that security operations teams must strive to close as quickly as possible.

DirtyDecrypt’s membership in an active family of kernel LPEs (Dirty Frag, Fragnesia, CopyFail, Pack2TheRoot) suggests we are in a period of intense research and disclosure of memory management vulnerabilities in the Linux kernel. This demands that security teams adopt a continuous vulnerability management approach, including constant inventorying of kernel configurations, automated update application, and active monitoring of indicators of compromise.

When exploit code is public, the question is no longer if attackers will use it, but when. The speed of patch response is the most important differentiator between a resilient organization and a compromised one.

References

The Hacker News. (2026, May 19). DirtyDecrypt PoC released for Linux kernel CVE-2026-31635 LPE vulnerability. https://thehackernews.com/2026/05/dirtydecrypt-poc-released-for-linux.html

Goodin, D. (2026, May 19). Exploit available for new DirtyDecrypt Linux root escalation flaw. BleepingComputer. https://www.bleepingcomputer.com/news/security/exploit-available-for-new-dirtydecrypt-linux-root-escalation-flaw/

Kovacs, E. (2026, May 19). PoC released for DirtyDecrypt Linux kernel vulnerability. SecurityWeek. https://www.securityweek.com/poc-released-for-dirtydecrypt-linux-kernel-vulnerability/

Moselwal Digitalagentur. (2026, May 16). DirtyDecrypt — Linux kernel LPE (CVE-2026-31635). https://moselwal.com/blog/dirtydecrypt-linux-kernel-rxgk-cve-2026-31635

THREATINT. (2026). CVE-2026-31635 — rxrpc: fix oversized RESPONSE authenticator length check. https://cve.threatint.eu/CVE/CVE-2026-31635