PoC Released for DirtyDecrypt Linux Kernel Vulnerability

PoC Released for DirtyDecrypt Linux Kernel Vulnerability

Briefly

"Dubbed DirtyDecrypt (aka DirtyCBC), the exploit comes from the V12 security team, which discovered it earlier this month, after fixes were rolled out in April. The V12 team has not shared a CVE identifier for the security defect, but noted that it is a missing copy-on-write (COW) guard in the rxgk_decrypt_skb component of the RxGK subsystem."

"Due to the missing COW guard, oversized response authenticators are accepted, which results in data being written to the memory of privileged processes or to the page cache of privileged files, such as SUID binaries, Moselwal notes. As Tharros Labs senior principal vulnerability analyst Will Dormann points out, the underlying issue could be CVE-2026-31635 (CVSS score of 7.5), a Linux kernel vulnerability disclosed on April 24, when patches were rolled out for mainline Linux builds."

"DirtyDecrypt only affects distributions that have CONFIG_RXGK compiled in and enabled, such as Arch Linux, Fedora, and openSUSE. In container platforms, all worker nodes running a vulnerable distribution could provide attackers with a path to escape the pod, Moselwal says."

"According to V12, the flaw is a variant of the recently identified CopyFail, DirtyFrag, and Fragnesia Linux kernel bugs, all of which grant root access on vulnerable systems. Disclosed last week and officially tracked as CVE-2026-46300, Fragnesia affects the XFRM ESP-in-TCP subsystem. It allows attackers to overwrite sensitive system files and gain root privileges."