DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability  Ravie Lakshmanan  May 19, 2026 Linux / Vulnerability Proof-of-concept (PoC) exploit code has now been released for a recently patched security flaw in the Linux kernel that could allow for local privilege escalation (LPE). Dubbed DirtyDecrypt (aka DirtyCBC), the vulnerability was discovered and reported by the Zellic and V12 security team on May 9, 2026, only to be informed by the maintainers that it was a duplicate of a vulnerability that had already been patched in the mainline. "It's a rxgk pagecache write due to missing COW [copy-on-write] guard in rxgk_decrypt_skb," Zellic co-founder Luna Tong (aka cts and gf_256) said in a description shared on GitHub. Although the CVE identifier was not disclosed, the vulnerability in question is CVE-2026-31635 (CVSS score: 7.5) based on the fact that the NIST National Vulnerability Database (NVD) includes a link to the DirtyDecrypt PoC in its CVE record. "The specific fault sits in rxgk_decrypt_skb(), the function that decrypts an incoming sk_buff (socket buffer) on the receive side," Moselwal said . "In this code path the kernel handles memory pages that are partly shared with the page cache of other processes – a normal Linux optimisation protected by copy-on-write: as soon as a write to a shared page happens, a private copy is made beforehand so that the write doesn't bleed into another process's data." The absence of this COW guard in rxgk_decrypt_skb means that data gets written to the memory of privileged processes or, depending on the exploit path, to the page cache of privileged files, such as etc/shadow, /etc/sudoers, or a SUID binary, leading to local privilege escalation. DirtyDecrypt impacts only distributions with CONFIG_RXGK enabled, such as Fedora, Arch Linux, and openSUSE Tumbleweed. In containerized environments, worker nodes running a vulnerable version of Linux could provide a pathway to escape the pod. The vulnerability, per Zellic, is assessed to be a variant of Copy Fail (CVE-2026-31431), Dirty Frag aka Copy Fail 2 (CVE-2026-43284 and CVE-2026-43500), and Fragnesia (CVE-2026-46300), all of which grant root access on vulnerable systems. Copy Fail , a local privilege escalation flaw in the AF_ALG cryptographic socket interface, was disclosed by researchers at Theori on April 29, 2026. It was followed by Dirty Frag a week later. Dirty Frag expands on Copy Fail with two page-cache write primitives. However, security researcher Hyunwoo Kim was forced to go ahead with public disclosure after the agreed-upon embargo window ended prematurely when a merged patch for CVE-2026-43284 on May 5 led another researcher, who was unaware of the embargo, to analyze and independently publish details of the defect. "I read the commit, recognized the xfrm ESP-in-UDP MSG_SPLICE_PAGES no-COW path against shared pipe pages as an LPE primitive, and built a PoC," the researcher, who goes by the online aliases 0xdeadbeefnetwork and afflicted.sh, noted . "The work is n-day weaponization from a public upstream commit, which is standard practice once a security-relevant fix lands in a public tree." Fragnesia is another variant of Dirty Frag and impacts the XFRM ESP-in-TCP subsystem. But the outcome is the same: it allows unprivileged local attackers to modify read-only file contents in the kernel page cache and obtain root privileges. The development dovetails with the discovery of an LPE flaw in the Linux PackageKit daemon ( CVE-2026-41651 aka Pack2TheRoot, CVSS score: 8.8) and an improper privilege management flaw in the kernel ( CVE-2026-46333 aka ssh-keysign-pwn , CVSS score: 5.5), which allows an unprivileged local user to read root-owned secrets like SSH private keys. Various Linux distributions have released advisories for CVE-2026-46333 - AlmaLinux Amazon Linux CloudLinux Fedora Gentoo Red Hat SUSE Ubuntu Kernel Killswitch? The flurry of new disclosures within a span of a few weeks has prompted Linux kernel developers to review a proposal for an emergency "killswitch" that would allow administrators to disable vulnerable kernel functions at runtime until a patch for a zero-day vulnerability becomes available. "Killswitch lets a privileged operator make a chosen kernel function return a fixed value without executing its body, as a temporary mitigation for a security bug while a real fix is being prepared," according to a proposal submitted by Linux kernel developer and maintainer Sasha Levin. "The function returns the operator-supplied value and nothing else runs in its place. There is no allowlist, no return-type check; if the kprobe layer accepts the symbol, killswitch engages it. Once engaged, the change is in effect on every CPU until ``disengage`` is written or the system reboots." Rocky Linux Debuts Security Repository Rocky Linux, for its part, has introduced an optional security repository that allows the distribution to ship urgent security fixes quickly, particularly in scenarios where severe vulnerabilities become public knowledge before coordinated upstream fixes arrive. "The repository is disabled by default. That's intentional," the maintainers said . "The default Rocky Linux experience stays exactly what it has always been: predictable, stable, and fully upstream-compatible. Administrators who want access to accelerated fixes can opt in when they need it." The security repository specifically caters to "specific, narrow" cases where a significant vulnerability is public, exploit code exists, and upstream patches are not available yet. Rocky Linux has emphasized that it's not a replacement for the regular release process. "If we push a fix and upstream decides not to address it, the next upstream kernel release will supersede our patched version," the maintainers added. "Users who haven't version-locked their kernel will, at that point, no longer have our fix. That's the trade-off we accepted when building this." Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post. SHARE      Tweet  Share  Share  Share   Share on Facebook  Share on Twitter  Share on Linkedin  Share on Reddit  Share on Hacker News  Share on Email  Share on WhatsApp Share on Facebook Messenger  Share on Telegram SHARE  Arch Linux , Container Security , fedora , Kernel , linux , opensuse , privilege escalation , Rocky Linux , Vulnerability ⚡ Top Stories This Week Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday [Webinar] How Modern Attack Paths Cross Code, Pipelines, and Cloud Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI and More Packages cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation ⭐ Featured Resources [Webinar] Learn How to Handle Critical SOC Alerts With AI Support Identify Internal Attack Surfaces More Efficiently With a Free Assessment [eBook] Get the 3-Number SOC Diagnostic to Reduce Queue Risk [Guide] Stop Email Fraud Before It Turns Into Ransomware Damage