Full Report
A recently patched local privilege escalation vulnerability in the Linux kernel's rxgk module now has a proof-of-concept exploit that allows attackers to gain root access on some Linux systems. [...]
Analysis Summary
# Vulnerability: "DirtyDecrypt" Linux Kernel Local Privilege Escalation
## CVE Details
- **CVE ID:** CVE-2026-31635
- **CVSS Score:** Not explicitly listed in text (Historically, similar LPE vulnerabilities in this class range from 7.0 to 7.8)
- **CWE:** CWE-362 (Race Condition) or CWE-403 (Exposure of Sensitive Information to an Unauthorized Actor) via missing COW (Copy-On-Write) protection.
## Affected Systems
- **Products:** Linux Kernel
- **Versions:** Kernels prior to the April 25, 2026 patch.
- **Configurations:** Systems must have the `CONFIG_RXGK` configuration option enabled. This enables RxGK security support for the Andrew File System (AFS) client.
## Vulnerability Description
DirtyDecrypt (also referred to as DirtyCBC) is a local privilege escalation flaw residing in the Linux kernel's `rxgk` module. The vulnerability is caused by a missing Copy-On-Write (COW) guard in the `rxgk_decrypt_skb` function. This flaw allows a local attacker to perform unauthorized writes to the page cache. By manipulating the memory used by the `rxgk` module during decryption, an attacker can escalate privileges from a standard user to root.
## Exploitation
- **Status:** PoC available (Developed by V12 security team; verified on Fedora and mainline kernels).
- **Complexity:** Medium (Requires specific kernel configurations).
- **Attack Vector:** Local (Attacker must already have local access to the system).
## Impact
- **Confidentiality:** High (Full access to system files via root escalation).
- **Integrity:** High (Ability to modify any file on the system).
- **Availability:** High (Ability to crash the system or delete critical data).
## Remediation
### Patches
- **Mainline Kernel:** Patched on April 25, 2026.
- **Distributions:** Users of Fedora, Arch Linux, and openSUSE Tumbleweed should update to the latest available kernel provided by their package managers immediately.
### Workarounds
If patching is not immediate, users can disable the vulnerable modules. **Note:** This will break IPsec VPNs and AFS network file systems.
Run the following command as root:
bash
sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true"
## Detection
- **Indicators of Compromise:** Presence of the `poc.c` exploit code or its compiled binaries in temporary directories (e.g., `/tmp`, `/dev/shm`). Unexpected elevation of privileges by local users.
- **Detection Methods:**
- Check for enabled config: `grep CONFIG_RXGK /boot/config-$(uname -r)`
- Monitor for manual `rxrpc` module loading or unusual page cache modification activity.
## References
- **NVD Entry:** [https://nvd.nist.gov/vuln/detail/CVE-2026-31635] (Defanged: hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2026-31635)
- **V12 PoC Repository:** [https://github.com/v12-security/pocs/tree/main/dirtydecrypt] (Defanged: hxxps[://]github[.]com/v12-security/pocs/tree/main/dirtydecrypt)
- **Kernel Configuration Reference:** [https://www.kernelconfig.io/CONFIG_RXGK] (Defanged: hxxps[://]www[.]kernelconfig[.]io/CONFIG_RXGK)