Full Report
Proof-of-concept (PoC) exploit code has now been released for a recently patched security flaw in the Linux kernel that could allow for local privilege escalation (LPE). Dubbed DirtyDecrypt (aka DirtyCBC), the vulnerability was discovered and reported by the Zellic and V12 security team on May 9, 2026, only to be informed by the maintainers that it was a duplicate of a vulnerability that had
Analysis Summary
# Vulnerability: DirtyDecrypt Local Privilege Escalation in Linux Kernel
## CVE Details
- **CVE ID:** CVE-2026-31635
- **CVSS Score:** 7.5 (High)
- **CWE:** Missing Copy-on-Write (COW) Guard / Write-what-where condition
## Affected Systems
- **Products:** Linux Kernel
- **Versions:** Impacted versions include those where the `rxgk` module is present before the mainline patch was applied.
- **Configurations:** Specific to distributions with `CONFIG_RXGK` enabled. Notable examples include:
- Fedora
- Arch Linux
- openSUSE Tumbleweed
- Container worker nodes running vulnerable kernels (potential pod escape).
## Vulnerability Description
The vulnerability, known as **DirtyDecrypt** (or DirtyCBC), exists within the `rxgk_decrypt_skb()` function, which is responsible for decrypting incoming socket buffers (`sk_buff`) on the receive side.
The flaw stems from a missing Copy-on-Write (COW) guard. In standard Linux memory management, when multiple processes share memory pages in the page cache, a "copy-on-write" mechanism ensures that if a process attempts to modify a shared page, a private copy is created first to prevent the write from affecting other processes. Because `rxgk_decrypt_skb()` lacks this guard, decryption data can be written directly into shared memory pages. This allows an attacker to overwrite the page cache of privileged files (such as `/etc/shadow` or SUID binaries) or the memory of privileged processes.
## Exploitation
- **Status:** PoC available (released by Zellic and V12 security teams).
- **Complexity:** Medium (requires specific kernel configuration).
- **Attack Vector:** Local.
## Impact
- **Confidentiality:** High (Ability to read/modify sensitive files like `/etc/shadow`).
- **Integrity:** High (Ability to modify system binaries or configuration files).
- **Availability:** High (Potential for system instability or unauthorized administrative control).
## Remediation
### Patches
- The vulnerability was identified as a duplicate of a flaw already addressed in the **Linux kernel mainline**. Users should update to the latest stable kernel version provided by their distribution (e.g., updated versions of Fedora, Arch, or openSUSE).
### Workarounds
- Disable `CONFIG_RXGK` if it is not required for system operations.
- Restrict local user access on high-risk multi-user systems until patches are applied.
## Detection
- **Indicators of Compromise:** Unexpected modifications to system files like `/etc/passwd`, `/etc/shadow`, or `/etc/sudoers`.
- **Detection methods and tools:**
- Monitor for unusual local privilege elevation events.
- Use integrity monitoring tools (e.g., AIDE, Tripwire) to detect unauthorized changes to read-only system files or SUID binaries.
- Check kernel configuration via `zcat /proc/config.gz | grep CONFIG_RXGK` to determine if the system is potentially vulnerable.
## References
- [hXXps://nvd.nist.gov/vuln/detail/CVE-2026-31635]
- [hXXps://thehackernews.com/2026/05/dirtydecrypt-poc-released-for-linux.html]
- [hXXps://github[.]com/v12-security/pocs/tree/main/dirtydecrypt]
- [hXXps://moselwal[.]com/blog/dirtydecrypt-linux-kernel-rxgk-cve-2026-31635]