A newly exposed vulnerability, known as DirtyDecrypt or DirtyCBC, poses a significant security threat to Linux systems. This vulnerability, tracked as CVE-2026-31635, allows local attackers to elevate their privileges to root access. The exploit, which has been demonstrated through a proof-of-concept (PoC), affects systems with specific kernel configurations.
Understanding the DirtyDecrypt Vulnerability
The vulnerability was identified in the Linux kernel’s RxGK subsystem, which is part of the security layer for RxRPC, utilized by the Andrew File System (AFS) client. The flaw lies in the rxgk_decrypt_skb() function, where a missing copy-on-write (COW) guard enables direct writing to shared pages without creating private copies, potentially corrupting privileged files like /etc/shadow or /etc/sudoers.
Security analyst Will Dormann attributed the technical details to CVE-2026-31635, with a patch applied quietly on April 25, 2026. Researcher V12 highlighted the vulnerability’s impact, noting it was initially reported as a duplicate of an internally patched issue.
Distributions and Systems at Risk
Linux distributions compiled with CONFIG_RXGK=y or CONFIG_RXGK=m are susceptible, particularly rolling-release distributions closely aligned with upstream kernel updates. Notable affected distributions include Fedora, Arch Linux, and openSUSE Tumbleweed, among others. Systems using mainline kernel PPAs or ELRepo kernel-ml on RHEL/CentOS Stream are also vulnerable.
In contrast, stable enterprise distributions like Debian Stable, RHEL, and Ubuntu LTS typically disable RxGK by default, reducing their risk exposure. System administrators can check vulnerability status by executing a specific command in the terminal.
Mitigation and Immediate Actions
The risk escalates in environments like Kubernetes, where a compromised node can lead to container escapes and unauthorized access to secrets and runtime sockets. Developer workstations on Fedora or Arch, which might hold sensitive credentials, are particularly at risk.
To mitigate this vulnerability, users should apply the latest kernel updates that include the April 25 patch. For Fedora, Arch Linux, and openSUSE Tumbleweed, this involves using their respective package managers to upgrade and reboot the system. For systems where immediate patching is not feasible, blacklisting specific kernel modules offers a temporary workaround, albeit with potential service disruptions.
Organizations are advised to enforce strict security protocols, especially in Kubernetes clusters, to prevent further exploitation. Users on affected distributions should prioritize these updates due to the availability of public PoC code, which increases the likelihood of active exploitation.
Stay informed by following our updates on Google News, LinkedIn, and other platforms for the latest security developments.
