Skip to main content
CybersecurityVulnerability Management

DirtyDecrypt Flaw Exposes Linux Systems to Root Access Risk

Dimly lit server room with equipment and one glowing server screen.

"We found and reported this on May 9, 2026, but was informed it was a duplicate by the maintainers," V12 said. That terse admission captures an unfolding risk: a recently patched Linux kernel flaw in the rxgk module — now being called DirtyDecrypt or DirtyCBC — has a public proof-of-concept exploit that can yield root on some systems.

What the bug is and how it behaves

V12's disclosure describes "a rxgk pagecache write due to missing COW guard in rxgk_decrypt_skb." The team published a proof-of-concept (poc.c) that demonstrates how the missing copy-on-write (COW) guard can be abused to alter kernel memory and elevate privileges to root. While there is no official CVE in the disclosure, Will Dormann, principal vulnerability analyst at Tharros, has said the researchers' details align with CVE-2026-31635, which was patched on April 25.

Which systems are actually at risk

Successful exploitation requires a Linux kernel built with the CONFIG_RXGK configuration option enabled. That option activates RxGK security support for the Andrew File System (AFS) client and the associated network transport. In practical terms, the attack surface is narrow: it primarily affects distributions that track recent upstream kernel releases, and V12's proof-of-concept has been tested against Fedora and the mainline Linux kernel.

Patch, mitigations, and trade-offs

Linux users on distributions potentially affected by DirtyDecrypt are advised to install the latest kernel updates as soon as possible. For organizations or devices that cannot immediately patch, the source provides a mitigation previously used for Dirty Frag; it disables three kernel modules but carries functional impact:

sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true"

The source explicitly warns that this mitigation will also break IPsec VPNs and AFS distributed network file systems. In short: the workaround reduces immediate risk but removes functionality that some networks depend on.

Connections to other recent Linux LPEs and federal action

DirtyDecrypt joins a cluster of recent local privilege-escalation (LPE) disclosures including Dirty Frag, Fragnesia, Copy Fail, and Pack2TheRoot. The article notes that attackers are now actively exploiting the Copy Fail vulnerability in the wild. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Copy Fail to its list of flaws exploited in attacks on May 1 and ordered federal agencies to secure their Linux devices within two weeks, by May 15. As CISA put it: "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise."

What this means for Fedora, Arch Linux, openSUSE Tumbleweed, system administrators, and federal agencies

  • Fedora, Arch Linux, and openSUSE Tumbleweed: Because these distributions closely follow upstream kernels, maintainers and users should prioritize kernel updates; V12 tested the proof-of-concept against Fedora and mainline.
  • System administrators and operators: If immediate patching is not possible, apply the provided mitigation while planning for service impacts — namely broken IPsec VPNs and AFS functionality — and schedule a kernel update at the earliest maintenance window.
  • Federal agencies: With Copy Fail already on CISA's exploited-list and subject to a May 15 directive, agencies will face the same operational urgency to inventory CONFIG_RXGK-enabled hosts and ensure kernel patches or mitigations are applied where appropriate.

DirtyDecrypt illustrates a recurring pattern: a narrowly scoped kernel configuration option can open a critical attack path when a low-level guard — here, a missing COW check — is absent. The availability of a public proof-of-concept, combined with recent active exploitation of related flaws such as Copy Fail, raises the operational imperative: verify whether your kernels have CONFIG_RXGK enabled, patch promptly, and weigh mitigation trade-offs where immediate patching is impossible.

Source: https://www.bleepingcomputer.com/news/security/exploit-available-for-new-dirtydecrypt-linux-root-escalation-flaw/