www.it-connect.fr
DirtyDecrypt Flaw Threatens Linux Servers as PoC Goes Public
DirtyDecrypt is the name of a major new flaw discovered in the Linux kernel. Like Dirty Frag and other recent exploits, this vulnerability allows local privilege escalation. Here's what you need to know.
Table of Contents
DirtyDecrypt: a Copy-on-Write issue in the Linux kernel
The V12 Security team discovered and reported this vulnerability in the Linux kernel on May 9, 2026. Nicknamed DirtyDecrypt (and DirtyCBC), it is considered a variant of Copy Fail, Dirty Frag, and Fragnesia. Proof that the bad streak has been going on for several weeks.
However, Linux kernel maintainers told the researchers that this vulnerability was a duplicate of another flaw recently patched in the mainline branch. As a result, it does not have a CVE reference. In fact, it appears to be CVE-2026-31635, a security flaw patched on April 25, 2026. This link between DirtyDecrypt and CVE-2026-31635 was confirmed by NIST, since the page associated with this vulnerability includes a link to V12's GitHub.
The GitHub repository in question also contains an exploit code (PoC) for the DirtyDecrypt vulnerability. Thanks to the poc.c file made available by V12 Security, it is possible to exploit this vulnerability on Linux. But this time, the good news is that a patch already exists.
The context is now clear. Let's take a closer look at the flaw itself.
This appears to be a memory cache management issue. More specifically, it is a write in the rxgk page cache made possible by the absence of copy-on-write protection in rxgk_decrypt_skb. Without this protection barrier, corrupted data can be written directly into the memory of privileged processes or, depending on the exploitation method, into the page cache of sensitive files (such as /etc/shadow, /etc/sudoers).
The result: an unprivileged local attacker can obtain root privileges.
DirtyDecrypt: not all distributions are affected
Unlike other recently discovered flaws, this one does not affect all Linux distributions. In fact, it only affects Linux distributions where the CONFIG_RXGK option is enabled. This is a component added to the Linux kernel in August 2025 that provides the RxGK security class based on GSSAPI for AFS (networking).
This is notably the case for several distributions that use a kernel version where this component is present. Examples include Fedora, Arch Linux, and openSUSE Tumbleweed, though this list is not exhaustive. For example, Ubuntu and Debian are not affected by this vulnerability.
You can verify this by running the following command on your machine:
grep RXGK /boot/config-$(uname -r)Indeed, this command makes it possible to check whether the RXGK configuration option is enabled in the Linux kernel currently running.
Toward a kill switch in the Linux kernel?
In light of this rapid succession of flaws over just a few weeks, this article is a reminder of the idea put forward by Sasha Levin, one of the Linux kernel maintainers. He proposed adding a kill switch to the Linux kernel, in other words an emergency stop button, with the goal of allowing administrators to disable vulnerable kernel features on the fly.
This would help protect against a zero-day flaw before the official patch is released. As we have seen with recently discovered critical vulnerabilities, the arrival of the patch may take several days.
