HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Proof‑of‑Concept Exploit for DirtyDecrypt Linux Kernel Root‑Escalation (CVE‑2026‑31635) Threatens Enterprise Linux Environments

A publicly released proof‑of‑concept exploit for the DirtyDecrypt (CVE‑2026‑31635) Linux kernel privilege‑escalation flaw enables attackers to obtain root on systems with the rxgk module enabled. The issue impacts major distributions such as Fedora, Arch, and openSUSE, and poses a high‑severity third‑party risk for cloud‑hosted and SaaS workloads.

LiveThreat™ Intelligence · 📅 May 18, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

Proof‑of‑Concept Exploit for DirtyDecrypt Linux Kernel Root‑Escalation (CVE‑2026‑31635) Threatens Enterprise Linux Environments

What Happened — A proof‑of‑concept exploit for the recently patched DirtyDecrypt (also known as DirtyCBC) local‑privilege‑escalation flaw in the Linux kernel’s rxgk module has been released publicly. The vulnerability (aligned with CVE‑2026‑31635) allows an unprivileged attacker to gain root on systems where the CONFIG_RXGK option is enabled.

Why It Matters for TPRM

  • The flaw targets a core kernel component, potentially affecting any third‑party service that runs a vulnerable Linux distribution.
  • Exploitation can lead to full system compromise, enabling attackers to pivot to downstream SaaS, cloud‑hosted workloads, or on‑premise services.
  • Active exploitation of similar Linux LPE bugs (e.g., Copy Fail) has already been observed in the wild, raising the likelihood of imminent attacks.

Who Is Affected — Linux distributions that ship the rxgk module with CONFIG_RXGK enabled, notably Fedora, Arch Linux, openSUSE Tumbleweed, and any custom or cloud images derived from recent upstream kernels.

Recommended Actions

  • Verify that all Linux hosts are running kernel ≥ 5.19.0‑rcX (or the latest vendor patch) that includes the fix for CVE‑2026‑31635.
  • Apply the mitigation script (disabling esp4, esp6, rxrpc) where immediate patching is not possible, and test for side‑effects on IPsec VPNs and AFS.
  • Update asset inventories to flag any systems with CONFIG_RXGK enabled and prioritize them for patching.
  • Review third‑party service contracts to ensure providers have applied the kernel update or equivalent mitigations.

Technical Notes — The vulnerability stems from a missing copy‑on‑write guard in rxgk_decrypt_skb, allowing a crafted page‑cache write to overwrite kernel memory. No official CVE was initially assigned, but the details match CVE‑2026‑31635 patched on 25 April 2026. Exploit requires local code execution and the presence of the rxgk module; the PoC has been tested on Fedora and the mainline kernel. Mitigation via modprobe blacklist may disrupt IPsec and AFS services. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/exploit-available-for-new-dirtydecrypt-linux-root-escalation-flaw/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →