A newly reported privilege vulnerability in the rxgk module of the Linux kernel now has a proof-of-concept that allows attackers to gain root access to other Linux systems.
Named DirtyDecrypt and also known as DirtyCBC, this security flaw was also automatically discovered and reported by the V12 security team earlier this month, when maintainers informed them that it was a duplicate that had already been patched in the mainline.
“We found and reported this on May 9, 2026, but were told it was a duplicate of the guardians,” V12 said. “Written rxgk page cache due to missing COW guards in rxgk_decrypt_skb. See poc.c for more details.”
Although there is no official CVE ID associated with this security flaw, according to Will Dormann (principal vulnerability analyst at Tharros), information from security researchers matches the information of CVE-2026-31635, which was written on April 25.
Successful exploitation requires running the Linux kernel with the CONFIG_RXGK configuration option, which enables RxGK security support for the Andrew File System (AFS) client and network transport.
This reduces the attack surface on Linux distributions that closely follow the latest incremental kernel releases, including Fedora, Arch Linux, and openSUSE Tumbleweed. However, the proof-of-concept exploit for V12 has only been tested on Fedora and the main Linux kernel.
DirtyDecrypt belongs to the same vulnerability category as several other rooting flaws disclosed in recent weeks, including Dirty Frag, Fragnesia, and Copy Fail.
Linux users on distros potentially affected by DirtyDecrypt are advised to install the latest kernel updates as soon as possible.
However, those who cannot patch their devices immediately should use the same mitigations used for Dirty Frag (however, this will also break IPsec VPNs and AFS distributed network systems):
sh -c "printf 'install esp4 /bin/falseninstall esp6 /bin/falseninstall rxrpc /bin/falsen' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true"The disclosure follows recent reports that attackers are now fully exploiting the Copy Fail vulnerability in the wild.
The Cybersecurity and Infrastructure Security Agency (CISA) added Copy Fail to its list of exploitable flaws in the attack on May 1 and ordered government agencies to secure their Linux machines within two weeks, on May 15.
“This type of vulnerability is a common attack by malicious actors and poses a significant risk to government business,” the US cybersecurity agency warned.
In April, Linux distros released patches for another root privilege escalation vulnerability (called Pack2TheRoot) in the PackageKit daemon that had been unknown for nearly 12 years.
Automated testing tools deliver real value, but they’re designed to answer one question: can an attacker deploy on a network? They are not designed to check that your controls are blocking threats, your firewall detection, or your cloud configs.
This guide covers the 6 areas you really need to verify.
Download Now
