Proof-of-concept (PoC) exploit code has been publicly released for a recently patched Linux kernel vulnerability, dubbed DirtyDecrypt, that could enable local privilege escalation (LPE). This development raises immediate concerns for systems running affected Linux distributions, as attackers could potentially leverage this flaw to gain elevated permissions.
The DirtyDecrypt vulnerability, also known as DirtyCBC, was initially reported by the Zellic and V12 security team on May 9, 2026. The researchers were informed by kernel maintainers that it was a duplicate of a flaw that had already been addressed in the mainline kernel. While a specific CVE identifier was not initially disclosed, security analysis points to CVE-2026-31635, which has a CVSS score of 7.5, as the likely candidate, given its inclusion of a link to the DirtyDecrypt PoC in its record on the NIST National Vulnerability Database (NVD).
DirtyDecrypt: A Closer Look at the Linux Kernel Flaw
According to descriptions shared on GitHub by Zellic co-founder Luna Tong, the vulnerability stems from a “rxgk pagecache write due to missing COW [copy-on-write] guard in rxgk_decrypt_skb.” Moselwal, a security researcher, further explained that the fault lies within the `rxgk_decrypt_skb()` function, responsible for decrypting incoming socket buffers on the receive side. This function normally utilizes a copy-on-write mechanism to prevent data writes from affecting other processes sharing memory pages with the page cache. As soon as a write to a shared page is attempted, a private copy is created to ensure data integrity across processes.
The absence of this crucial copy-on-write guard in `rxgk_decrypt_skb()` allows data to be written directly into the memory of privileged processes. Depending on the specific exploit path, this could target critical system files such as `/etc/shadow`, `/etc/sudoers`, or even SUID binaries. Such a compromise would directly lead to local privilege escalation, granting unprivileged users root access.
DirtyDecrypt specifically impacts Linux distributions configured with `CONFIG_RXGK` enabled, which include popular systems like Fedora, Arch Linux, and openSUSE Tumbleweed. In containerized environments, this vulnerability could provide an avenue for attackers to break out of a pod and gain access to the underlying worker node’s host system.
Zellic has assessed DirtyDecrypt as a variant of several previously disclosed local privilege escalation vulnerabilities, including Copy Fail (CVE-2026-31431), Dirty Frag (CVE-2026-43284 and CVE-2026-43500), and Fragnesia (CVE-2026-46300). Each of these flaws also granted root access on vulnerable systems, highlighting a concerning trend of memory corruption vulnerabilities in the Linux kernel.
Earlier this year, Copy Fail, a local privilege escalation flaw within the AF_ALG cryptographic socket interface, was disclosed by Theori researchers. Dirty Frag, which emerged a week later, built upon Copy Fail by introducing two page-cache write primitives. The public disclosure of Dirty Frag was accelerated when a merged patch for CVE-2026-43284 released on May 5 prematurely ended an agreed-upon embargo period. Another researcher, analyzing the commit, independently published details of the defect, leading to the weaponization of the vulnerability through publicly available information.
Fragnesia, another variant of Dirty Frag, affects the XFRM ESP-in-TCP subsystem. Regardless of the specific subsystem, the outcome is consistent: unprivileged local attackers can modify read-only file contents in the kernel page cache, ultimately achieving root privileges.
These recent disclosures follow closely on the heels of other identified privilege escalation flaws, including a vulnerability in the Linux PackageKit daemon (CVE-2026-41651, Pack2TheRoot, CVSS score: 8.8) and an improper privilege management flaw in the kernel (CVE-2026-46333, ssh-keysign-pwn, CVSS score: 5.5). The latter allows unprivileged local users to access sensitive root-owned secrets, such as SSH private keys. Various Linux distributions have already issued advisories for CVE-2026-46333.
Kernel Security and Future Mitigation Strategies
The rapid succession of these critical vulnerability disclosures has prompted Linux kernel developers to re-examine a proposal for an emergency “killswitch.” This mechanism would purportedly allow administrators to disable specific vulnerable kernel functions at runtime as a temporary mitigation until a permanent patch can be developed and deployed.
According to a proposal submitted by Linux kernel developer and maintainer Sasha Levin, the killswitch would enable a privileged operator to force a chosen kernel function to return a fixed value without executing its actual code. This serves as a stopgap measure for zero-day vulnerabilities while a more robust fix is being prepared. Once engaged, the change would persist across all CPU cores until explicitly disengaged or the system is rebooted.
Rocky Linux Introduces Security Repository
In response to the evolving threat landscape, Rocky Linux has introduced an optional security repository designed to facilitate the rapid distribution of urgent security fixes. This repository is particularly relevant in scenarios where severe vulnerabilities are publicly disclosed before coordinated upstream patches become available.
The maintainers of Rocky Linux emphasized that this repository is disabled by default to preserve the predictable, stable, and fully upstream-compatible experience that users expect. Administrators who require accelerated security fixes can opt in when necessary. The security repository is intended for specific, limited use cases where a significant vulnerability is public, exploit code exists, and upstream patches are not yet ready.
Rocky Linux has clarified that this initiative does not replace the regular release process. If a fix is pushed through this repository and upstream developers decide not to address it, subsequent upstream kernel releases will supersede the patched version. Users who have not version-locked their kernel may lose the benefit of the Rocky Linux fix in such instances, a trade-off the maintainers have accepted.
The ongoing string of kernel vulnerabilities underscores the continuous need for prompt patching and robust security practices. The development and potential implementation of features like the kernel killswitch, alongside proactive measures such as Rocky Linux’s security repository, indicate a growing focus on rapid response to emerging threats in the Linux ecosystem. Users are advised to stay informed through their distribution’s security advisories and apply patches as soon as they become available, particularly for systems with the `CONFIG_RXGK` option enabled.