DirtyDecrypt: PoC Released for Linux Kernel Privilege Escalation Flaw
Proof-of-concept (PoC) exploit code has been released for "DirtyDecrypt" (also known as DirtyCBC), a Linux kernel vulnerability that allows local privilege escalation to root. The release marks the latest in a series of copy-on-write (COW) bypass vulnerabilities affecting the Linux kernel's memory management subsystem.
The Vulnerability
Discovered by the V12 security team, DirtyDecrypt stems from a missing COW guard in the rxgk_decrypt_skb component of the RxGK subsystem. RxGK is a security class for the RxRPC network protocol used by the Andrew File System (AFS) and OpenAFS, providing authentication, confidentiality, and integrity protection.
Due to the missing COW guard, oversized response authenticators are accepted, resulting in data being written to the memory of privileged processes or to the page cache of privileged files, such as SUID binaries.
Affected Systems
The vulnerability only affects distributions that have CONFIG_RXGK compiled in and enabled. This includes:
- Arch Linux - Fedora - openSUSE
In container platforms, all worker nodes running a vulnerable distribution could provide attackers with a path to escape the pod, making this a critical concern for Kubernetes and similar orchestration environments.
Connection to CVE-2026-31635
While the V12 team has not assigned a specific CVE identifier, Tharros Labs senior principal vulnerability analyst Will Dormann has linked the underlying issue to CVE-2026-31635 (CVSS 7.5), which was disclosed and patched on April 24, 2026, for mainline Linux builds.
Part of a Broader Pattern
DirtyDecrypt is a variant of several recently identified Linux kernel bugs that grant root access:
- Fragnesia (CVE-2026-46300): Affects the XFRM ESP-in-TCP subsystem, disclosed last week. - Dirty Frag (CVE-2026-43284/43500): Chains two flaws in xfrm-ESP and RxRPC components, actively exploited in the wild. - CopyFail: Disclosed in late April, enables modification of in-memory setuid-root binaries. Exploitation began shortly after disclosure.
Remediation
Patches were rolled out in April 2026. Administrators of affected distributions must:
- Update immediately to the latest kernel version - Verify CONFIG_RXGK status on all systems - Monitor for exploitation attempts, especially on container worker nodes - Consider disabling RxGK if AFS/OpenAFS is not in use
Reflection
The release of PoC code for DirtyDecrypt—following closely on the heels of Dirty Frag, CopyFail, and Fragnesia—signals a troubling trend: the Linux kernel's memory management subsystem is under intense scrutiny from attackers, and the window between disclosure and exploitation is shrinking.
For enterprises running containerized workloads on affected distributions, the risk is compounded. A single vulnerable worker node can become the beachhead for a full cluster compromise. The lesson is clear: kernel patches must be applied with urgency, and configurations that enable unnecessary subsystems (like RxGK) should be audited and disabled where possible.
