Exploit available for new DirtyDecrypt Linux root escalation flaw

A recently patched local privilege escalation vulnerability in the Linux kernel's rxgk module now has a proof-of-concept exploit that allows attackers to gain root access on some Linux systems.

Named DirtyDecrypt and also known as DirtyCBC, this security flaw was also autonomously found and reported by the V12 security team earlier this month, when the maintainers informed them that it was a duplicate that had already been patched in the mainline.

"We found and reported this on May 9, 2026, but was informed it was a duplicate by the maintainers," V12 said. "It's a rxgk pagecache write due to missing COW guard in rxgk_decrypt_skb. See poc.c for more details."

While there is no official CVE ID associated with this security flaw, according to Will Dormann (principal vulnerability analyst at Tharros), the information from the security researchers aligns with the details of CVE-2026-31635, which was patched on April 25.

Successful exploitation requires running a Linux kernel with the CONFIG_RXGK configuration option, which enables RxGK security support for the Andrew File System (AFS) client and network transport.

Exploit available for new DirtyDecrypt Linux root escalation flaw

Other newsrooms on this story

Related reading

Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major…

Dirty Frag Linux Vulnerability Raises New Root Access Risks

Critical New Linux Zero-Day Leaked—What Admins Need To Do Now

Dirty Frag gets a sequel as Fragnesia hands Linux attackers root-level access

New Fragnesia Linux flaw lets attackers gain root privileges

'Dirty Frag' Linux flaw one-ups CopyFail with no patches and public root exploit