Proof-of-concept (PoC) code is now out there for an additional Linux kernel vulnerability that might permit attackers to raise their privileges to root.
Dubbed DirtyDecrypt (aka DirtyCBC), the exploit comes from the V12 security staff, which found it earlier this month, after fixes had been rolled out in April.
The V12 staff has not shared a CVE identifier for the security defect, however famous that it’s a lacking copy-on-write (COW) guard within the rxgk_decrypt_skb element of the RxGK subsystem.
RxGK is a security class for the RxRPC community protocol utilized by the Andrew File System (AFS) and OpenAFS, which depends on the GSSAPI framework to offer authentication, confidentiality, and integrity safety.
Because of the lacking COW guard, outsized response authenticators are accepted, which ends up in knowledge being written to the reminiscence of privileged processes or to the web page cache of privileged recordsdata, akin to SUID binaries, Moselwal notes.
As Tharros Labs senior principal vulnerability analyst Will Dormann factors out, the underlying concern may very well be CVE-2026-31635 (CVSS rating of seven.5), a Linux kernel vulnerability disclosed on April 24, when patches had been rolled out for mainline Linux builds.
DirtyDecrypt solely impacts distributions which have CONFIG_RXGK compiled in and enabled, akin to Arch Linux, Fedora, and openSUSE.
In container platforms, all employee nodes working a weak distribution might present attackers with a path to flee the pod, Moselwal says.
In line with V12, the flaw is a variant of the lately recognized CopyFail, DirtyFrag, and Fragnesia Linux kernel bugs, all of which grant root entry on weak programs.
Disclosed final week and formally tracked as CVE-2026-46300, Fragnesia impacts the XFRM ESP-in-TCP subsystem. It permits attackers to overwrite delicate system recordsdata and achieve root privileges.
The Soiled Frag exploit printed earlier this month chains two vulnerabilities within the Linux kernel, together with one which impacts the RxRPC element, to raise privileges to root.
Copy Fail, which was disclosed in late April, permits an attacker to switch the in-memory copies of setuid-root binaries, offering root shell entry. Risk actors began exploiting it shortly after disclosure.
