HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Local Privilege Escalation in Linux Kernel (CVE‑2026‑31635) “DirtyDecrypt” PoC Highlights Supply‑Chain Risk

A working proof‑of‑concept for the Linux kernel LPE CVE‑2026‑31635, dubbed “DirtyDecrypt”, has been released. The flaw affects Fedora, Arch Linux, and openSUSE Tumbleweed, allowing local attackers to gain root by writing to shared page‑cache pages. Third‑party risk managers must assess exposure across any services built on these distributions.

LiveThreat™ Intelligence · 📅 May 20, 2026· 📰 securityaffairs.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
5 recommended
📰
Source
securityaffairs.com

Local Privilege Escalation in Linux Kernel (CVE‑2026‑31635) “DirtyDecrypt” PoC Highlights Supply‑Chain Risk

What It Is – “DirtyDecrypt” (CVE‑2026‑31635) is a local‑privilege‑escalation (LPE) flaw in the Linux kernel’s rxgk_decrypt_skb() routine. A missing copy‑on‑write guard allows a local attacker to write into shared page‑cache pages, potentially overwriting sensitive files such as /etc/shadow or SUID binaries and gaining root.

Exploitability – A fully functional proof‑of‑concept is publicly available on GitHub. The vulnerability is assigned CVSS 7.5 (High) and is already patched in mainline kernels, but the PoC demonstrates active exploitability on unpatched systems.

Affected Products – Linux distributions compiled with CONFIG_RXGK are vulnerable, notably Fedora, Arch Linux, and openSUSE Tumbleweed. Standard Ubuntu or Debian builds are not affected.

TPRM Impact – Organizations that rely on the affected distributions for production workloads, CI/CD pipelines, or as the base OS for SaaS/cloud services inherit a direct attack surface. A compromised host can be leveraged to pivot, exfiltrate data, or disrupt services, creating a supply‑chain foothold that may affect downstream customers.

Recommended Actions

  • Verify kernel version and configuration on all assets; confirm CONFIG_RXGK is disabled or patched.
  • Deploy the latest kernel updates from the respective distro (kernel 6.6+ for Fedora, Arch, openSUSE).
  • Prioritize patching for any third‑party services or managed‑hosting environments that run the vulnerable kernels.
  • Conduct a focused asset inventory of Linux‑based workloads and add CVE‑2026‑31635 to your vulnerability‑management exception list.
  • Review privileged‑access monitoring and enforce least‑privilege for local accounts until remediation is confirmed.

Source: Security Affairs – DirtyDecrypt PoC Released for yet another Linux flaw

📰 Original Source
https://securityaffairs.com/192436/uncategorized/dirtydecrypt-poc-released-for-yet-another-linux-flaw.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Every gap like this maps to a control you can evidence.

The Verisq AI Trust Operations platform maps incidents to your control framework and collects the evidence continuously — so your Trust Center shows proof, not promises, when a buyer or auditor asks.

Explore the Verisq AI Trust Operations platform →