A newly released proof-of-concept exploit, known as DirtyDecrypt, is drawing attention to a security vulnerability in the Linux kernel. This flaw, identified as CVE-2026-31635, allows for local privilege escalation, posing significant security risks. Initially discovered by the Zellic and V12 security team, the exploit was reported on May 9, 2026. However, the Linux kernel maintainers noted it as a duplicate of an already addressed vulnerability in the mainline.
Technical Details of the Vulnerability
The DirtyDecrypt vulnerability arises from a missing copy-on-write (COW) guard in the rxgk_decrypt_skb function. This function, responsible for decrypting incoming socket buffers, mishandles memory pages shared with other processes’ page caches, leading to potential privilege escalation. The absence of the COW guard allows data to be written into privileged memory spaces, impacting files like /etc/shadow and /etc/sudoers.
Only Linux distributions with CONFIG_RXGK enabled, such as Fedora, Arch Linux, and openSUSE Tumbleweed, are affected. In containerized environments, the flaw could enable pod escape on worker nodes running a vulnerable Linux version. This vulnerability is considered a variant of previous exploits like Copy Fail and Dirty Frag, both of which allow root access on affected systems.
Context and Previous Vulnerabilities
Copy Fail, first disclosed by Theori researchers in April 2026, targets the AF_ALG cryptographic socket interface. The subsequent Dirty Frag expands this with additional write primitives. Public disclosure of Dirty Frag was accelerated after an embargo lapse, leading to independent publication of the exploit details. Another variant, Fragnesia, affects the XFRM ESP-in-TCP subsystem, allowing unprivileged users to gain root access.
Simultaneously, other vulnerabilities such as an LPE flaw in the Linux PackageKit daemon (Pack2TheRoot) and an improper privilege management flaw in the kernel (ssh-keysign-pwn) have emerged, prompting concerns within the Linux community.
Security Measures and Future Outlook
The surge in vulnerability disclosures has prompted Linux developers to consider an emergency “killswitch” mechanism. This proposal would enable administrators to disable specific kernel functions temporarily while waiting for patches. The killswitch could provide a stopgap solution to mitigate the impact of zero-day vulnerabilities.
In response, Rocky Linux has introduced an optional security repository for rapid deployment of urgent fixes. Though disabled by default, this repository aims to bridge the gap when critical vulnerabilities are disclosed before official patches are available. Rocky Linux emphasizes that this repository complements, rather than replaces, its standard release process.
As the Linux community navigates these challenges, the focus remains on ensuring robust security measures and timely updates to safeguard against emerging threats.
