Proof-of-concept (PoC) exploit code has now been launched for a not too long ago patched security flaw within the Linux kernel that would enable for native privilege escalation (LPE).
Dubbed DirtyDecrypt (aka DirtyCBC), the vulnerability was found and reported by the Zellic and V12 security staff on Could 9, 2026, solely to learn by the maintainers that it was a replica of a vulnerability that had already been patched within the mainline.
“It is a rxgk pagecache write because of lacking COW [copy-on-write] guard in rxgk_decrypt_skb,” Zellic co-founder Luna Tong (aka cts and gf_256) stated in an outline shared on GitHub.
Though the CVE identifier was not disclosed, the vulnerability in query is CVE-2026-31635 (CVSS rating: 7.5) primarily based on the truth that the NIST Nationwide Vulnerability Database (NVD) features a hyperlink to the DirtyDecrypt PoC in its CVE file.
“The precise fault sits in rxgk_decrypt_skb(), the perform that decrypts an incoming sk_buff (socket buffer) on the obtain aspect,” Moselwal stated.
“On this code path the kernel handles reminiscence pages which are partly shared with the web page cache of different processes – a standard Linux optimisation protected by copy-on-write: as quickly as a write to a shared web page occurs, a non-public copy is made beforehand in order that the write would not bleed into one other course of’s information.”
The absence of this COW guard in rxgk_decrypt_skb signifies that information will get written to the reminiscence of privileged processes or, relying on the exploit path, to the web page cache of privileged information, comparable to and many others/shadow, /and many others/sudoers, or a SUID binary, resulting in native privilege escalation.
DirtyDecrypt impacts solely distributions with CONFIG_RXGK enabled, comparable to Fedora, Arch Linux, and openSUSE Tumbleweed. In containerized environments, employee nodes working a susceptible model of Linux may present a pathway to flee the pod.
The vulnerability, per Zellic, is assessed to be a variant of Copy Fail (CVE-2026-31431), Soiled Frag aka Copy Fail 2 (CVE-2026-43284 and CVE-2026-43500), and Fragnesia (CVE-2026-46300), all of which grant root entry on susceptible methods.
Copy Fail, a neighborhood privilege escalation flaw within the AF_ALG cryptographic socket interface, was disclosed by researchers at Theori on April 29, 2026. It was adopted by Soiled Frag per week later. Soiled Frag expands on Copy Fail with two page-cache write primitives.
Nevertheless, security researcher Hyunwoo Kim was pressured to go forward with public disclosure after the agreed-upon embargo window ended prematurely when a merged patch for CVE-2026-43284 on Could 5 led one other researcher, who was unaware of the embargo, to research and independently publish particulars of the defect.
“I learn the commit, acknowledged the xfrm ESP-in-UDP MSG_SPLICE_PAGES no-COW path towards shared pipe pages as an LPE primitive, and constructed a PoC,” the researcher, who goes by the net aliases 0xdeadbeefnetwork and stricken.sh, famous. “The work is n-day weaponization from a public upstream commit, which is normal observe as soon as a security-relevant repair lands in a public tree.”
Fragnesia is one other variant of Soiled Frag and impacts the XFRM ESP-in-TCP subsystem. However the consequence is identical: it permits unprivileged native attackers to change read-only file contents within the kernel web page cache and acquire root privileges.
The event dovetails with the invention of an LPE flaw within the Linux PackageKit daemon (CVE-2026-41651 aka Pack2TheRoot, CVSS rating: 8.8) and an improper privilege administration flaw within the kernel (CVE-2026-46333 aka ssh-keysign-pwn, CVSS rating: 5.5), which permits an unprivileged native consumer to learn root-owned secrets and techniques like SSH personal keys.
Numerous Linux distributions have launched advisories for CVE-2026-46333 –
Kernel Killswitch?
The flurry of recent disclosures inside a span of some weeks has prompted Linux kernel builders to overview a proposal for an emergency “killswitch” that will enable directors to disable susceptible kernel features at runtime till a patch for a zero-day vulnerability turns into out there.
“Killswitch lets a privileged operator make a selected kernel perform return a hard and fast worth with out executing its physique, as a brief mitigation for a security bug whereas an actual repair is being ready,” in line with a proposal submitted by Linux kernel developer and maintainer Sasha Levin.
“The perform returns the operator-supplied worth and nothing else runs as a substitute. There is no such thing as a allowlist, no return-type test; if the kprobe layer accepts the image, killswitch engages it. As soon as engaged, the change is in impact on each CPU till “disengage“ is written or the system reboots.”
Rocky Linux Debuts Safety Repository
Rocky Linux, for its half, has launched an elective security repository that permits the distribution to ship pressing security fixes shortly, notably in eventualities the place extreme vulnerabilities change into public information earlier than coordinated upstream fixes arrive.
“The repository is disabled by default. That is intentional,” the maintainers stated. “The default Rocky Linux expertise stays precisely what it has all the time been: predictable, steady, and absolutely upstream-compatible. Directors who need entry to accelerated fixes can decide in once they want it.”
The security repository particularly caters to “particular, slender” instances the place a major vulnerability is public, exploit code exists, and upstream patches are usually not out there but. Rocky Linux has emphasised that it is not a alternative for the common launch course of.
“If we push a repair and upstream decides to not tackle it, the subsequent upstream kernel launch will supersede our patched model,” the maintainers added. “Customers who have not version-locked their kernel will, at that time, not have our repair. That is the trade-off we accepted when constructing this.”
