A recently patched local privilege escalation vulnerability in the Linux kernel’s rxgk module now has a proof-of-concept exploit that allows attackers to gain root access on some Linux systems.
Named DirtyDecrypt and also known as DirtyCBC, this security flaw was also autonomously found and reported by the V12 security team earlier this month, when the maintainers informed them that it was a duplicate that had already been patched in the mainline.
“We found and reported this on May 9, 2026, but was informed it was a duplicate by the maintainers,” V12 said. “It’s a rxgk pagecache write due to missing COW guard in rxgk_decrypt_skb. See poc.c for more details.”
While there is no official CVE ID associated with this security flaw, according to Will Dormann (principal vulnerability analyst at Tharros), the information from the security researchers aligns with the details of CVE-2026-31635, which was patched on April 25.
Successful exploitation requires running a Linux kernel with the CONFIG_RXGK configuration option, which enables RxGK security support for the Andrew File System (AFS) client and network transport.
This limits the attack surface to Linux distributions that closely follow the latest upstream kernel releases, including Fedora, Arch Linux, and openSUSE Tumbleweed. However, V12’s proof-of-concept exploit has only been tested against Fedora and the mainline Linux kernel.
DirtyDecrypt belongs to the same vulnerability class as several other root-escalation flaws disclosed in recent weeks, including Dirty Frag, Fragnesia, and Copy Fail.
Linux users on distros potentially affected by DirtyDecrypt are advised to install the latest kernel updates as soon as possible.
However, those who can’t immediately patch their devices should use the same mitigation used for Dirty Frag (however, this will also break IPsec VPNs and AFS distributed network file systems):
sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true"
These disclosures follow recent reports that attackers are now actively exploiting the Copy Fail vulnerability in the wild.
The Cybersecurity and Infrastructure Security Agency (CISA) added Copy Fail to its list of flaws exploited in attacks on May 1 and ordered federal agencies to secure their Linux devices within two weeks, by May 15.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” the U.S. cybersecurity agency warned.
In April, Linux distros rolled out patches for another root-privilege escalation vulnerability (dubbed Pack2TheRoot) in the PackageKit daemon that had gone unnoticed for almost 12 years.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
