Exploit available for new DirtyDecrypt Linux root escalation flaw

Summary

A local privilege escalation vulnerability in the Linux kernel's rxgk module, named DirtyDecrypt (also known as DirtyCBC), now has a publicly available proof-of-concept exploit allowing attackers to gain root access. The flaw was patched in the mainline kernel (CVE-2026-31635) but affects Linux distributions with CONFIG_RXGK enabled, including Fedora, Arch Linux, and openSUSE Tumbleweed. Mitigation involves kernel updates or disabling affected modules, though the latter breaks IPsec VPNs and AFS.

Full text

Exploit available for new DirtyDecrypt Linux root escalation flaw By Sergiu Gatlan May 18, 2026 03:18 AM 0 A recently patched local privilege escalation vulnerability in the Linux kernel's rxgk module now has a proof-of-concept exploit that allows attackers to gain root access on some Linux systems. Named DirtyDecrypt and also known as DirtyCBC, this security flaw was also autonomously found and reported by Delphos Labs and the V12 security team earlier this month, but maintainers informed V12 that it was a duplicate that had already been patched in the mainline. "We found and reported this on May 9, 2026, but was informed it was a duplicate by the maintainers," V12 said. "It's a rxgk pagecache write due to missing COW guard in rxgk_decrypt_skb. See poc.c for more details." A detailed technical write-up on DirtyCBC was shared by Delphos Labs' senior security researcher, Kamil Leoniak, on Friday. While there is no official CVE ID associated with this security flaw, according to Will Dormann (principal vulnerability analyst at Tharros), the information from the security researchers aligns with the details of CVE-2026-31635, which was patched on April 25. Successful exploitation requires running a Linux kernel with the CONFIG_RXGK configuration option, which enables RxGK security support for the Andrew File System (AFS) client and network transport. This limits the attack surface to Linux distributions that closely follow the latest upstream kernel releases, including Fedora, Arch Linux, and openSUSE Tumbleweed. However, V12's proof-of-concept exploit has only been tested against Fedora and the mainline Linux kernel. DirtyDecrypt exploit Fedora test (Will Dormann) DirtyDecrypt/DirtyCBC belongs to the same vulnerability class as several other root-escalation flaws disclosed in recent weeks, including Dirty Frag, Fragnesia, and Copy Fail. Linux users on distros potentially affected by this security flaw are advised to install the latest kernel updates as soon as possible. However, those who can't immediately patch their devices should use the same mitigation used for Dirty Frag (however, this will also break IPsec VPNs and AFS distributed network file systems): sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true" These disclosures follow recent reports that attackers are now actively exploiting the Copy Fail vulnerability in the wild. The Cybersecurity and Infrastructure Security Agency (CISA) added Copy Fail to its list of flaws exploited in attacks on May 1 and ordered federal agencies to secure their Linux devices within two weeks, by May 15. "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," the U.S. cybersecurity agency warned. In April, Linux distros rolled out patches for another root-privilege escalation vulnerability (dubbed Pack2TheRoot) in the PackageKit daemon that had gone unnoticed for almost 12 years. Update: Added a link to Delphos Labs' DirtyCBC write-up. The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate. Download Now Related Articles: New Linux 'Dirty Frag' zero-day gives root on all major distrosExploit released for new PinTheft Arch Linux root escalation flawNew Fragnesia Linux flaw lets attackers gain root privilegesRecently leaked Windows zero-days now exploited in attacksCISA says ‘Copy Fail’ flaw now exploited to root Linux systems

Indicators of Compromise

• cve — CVE-2026-31635
• malware — DirtyDecrypt
• malware — DirtyCBC

Entities