Local Privilege Escalation in Linux Kernel (CVE‑2026‑31635) “DirtyDecrypt” PoC Highlights Supply‑Chain Risk
What It Is – “DirtyDecrypt” (CVE‑2026‑31635) is a local‑privilege‑escalation (LPE) flaw in the Linux kernel’s rxgk_decrypt_skb() routine. A missing copy‑on‑write guard allows a local attacker to write into shared page‑cache pages, potentially overwriting sensitive files such as /etc/shadow or SUID binaries and gaining root.
Exploitability – A fully functional proof‑of‑concept is publicly available on GitHub. The vulnerability is assigned CVSS 7.5 (High) and is already patched in mainline kernels, but the PoC demonstrates active exploitability on unpatched systems.
Affected Products – Linux distributions compiled with CONFIG_RXGK are vulnerable, notably Fedora, Arch Linux, and openSUSE Tumbleweed. Standard Ubuntu or Debian builds are not affected.
TPRM Impact – Organizations that rely on the affected distributions for production workloads, CI/CD pipelines, or as the base OS for SaaS/cloud services inherit a direct attack surface. A compromised host can be leveraged to pivot, exfiltrate data, or disrupt services, creating a supply‑chain foothold that may affect downstream customers.
Recommended Actions –
- Verify kernel version and configuration on all assets; confirm
CONFIG_RXGKis disabled or patched. - Deploy the latest kernel updates from the respective distro (kernel 6.6+ for Fedora, Arch, openSUSE).
- Prioritize patching for any third‑party services or managed‑hosting environments that run the vulnerable kernels.
- Conduct a focused asset inventory of Linux‑based workloads and add CVE‑2026‑31635 to your vulnerability‑management exception list.
- Review privileged‑access monitoring and enforce least‑privilege for local accounts until remediation is confirmed.
Source: Security Affairs – DirtyDecrypt PoC Released for yet another Linux flaw