DirtyDecrypt Linux – A proof-of-concept exploit for the newly patched DirtyDecrypt (DirtyCBC) Linux kernel rxgk module privilege escalation flaw is now available, with testing confirming root access on Fedora and the mainline kernel. Researchers say the bug is tied to a missing co
By the time administrators restarted their Linux systems after the recent patch, the danger had already mutated. A local privilege escalation vulnerability in the Linux kernel’s rxgk module—recently patched—has now been paired with a proof-of-concept exploit that allows attackers to reach root access on some systems.
The flaw is named DirtyDecrypt, and it also goes by DirtyCBC. V12’s security team says it found and reported the issue on May 9. 2026. but was told by maintainers that it was a duplicate of something already addressed in mainline. V12’s note points to the mechanism of the bug: it’s a rxgk pagecache write caused by a missing COW (copy-on-write) guard in rxgk_decrypt_skb. The proof-of-concept, it adds, is laid out in poc.c.
No official CVE ID is attached to DirtyDecrypt. Still, V12’s details line up with a previously patched CVE: Will Dormann, principal vulnerability analyst at Tharros, says the information from the researchers matches the scope of CVE-2026-31635, which was patched on April 25.
For defenders. the important part is not just the name—it’s the switch that has to be flipped in the kernel. Successful exploitation requires a Linux kernel built with the CONFIG_RXGK configuration option. That option enables RxGK security support for the Andrew File System (AFS) client and network transport. which effectively narrows the attack surface.
That narrowing comes with a catch. The exposure is limited to Linux distributions that stay close to the latest upstream kernel releases. including Fedora. Arch Linux. and openSUSE Tumbleweed. Even with that limitation, V12’s proof-of-concept has only been tested against Fedora and the mainline Linux kernel.
DirtyDecrypt is also not an isolated story. It belongs to the same vulnerability class as several other root-escalation flaws disclosed in recent weeks—Dirty Frag. Fragnesia. and Copy Fail. For users who might still be sitting on vulnerable kernel versions. the guidance is blunt: install the latest kernel updates as soon as possible.
For those who can’t patch immediately, V12 points to the same mitigation used for Dirty Frag. It involves disabling several kernel modules and forcing cache drops, but the trade-off is significant: the mitigation will break IPsec VPNs and AFS distributed network file systems.
The mitigation command sequence is:
sh -c “printf ‘install esp4 /bin/falseninstall esp6 /bin/falseninstall rxrpc /bin/falsen’ > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true”
The DirtyDecrypt disclosure lands as Copy Fail activity is already moving from research labs into real-world use. The report says attackers are now actively exploiting Copy Fail in the wild. CISA added Copy Fail to its list of known exploited flaws on May 1 and ordered federal agencies to secure their Linux devices within two weeks. by May 15.
The agency’s warning was direct: this type of vulnerability is a frequent attack vector for malicious cyber actors and carries significant risk to the federal enterprise.
It’s also not the first time this month has brought a root escalation surprise. In April, Linux distributions rolled out patches for another privilege escalation vulnerability—dubbed Pack2TheRoot—in the PackageKit daemon that had gone unnoticed for almost 12 years.
Taken together. the pattern is hard to miss: even after fixes land in the kernel. exploit code can appear quickly enough to force administrators into rapid triage. For now. DirtyDecrypt’s scope is constrained by CONFIG_RXGK and by which distributions track upstream kernels closely—but for Fedora systems tested by the proof-of-concept. the message is immediate: update the kernel. or be ready to accept the operational damage of the workaround.
DirtyDecrypt DirtyCBC Linux kernel vulnerability rxgk module local privilege escalation root exploit proof of concept Fedora CONFIG_RXGK AFS Copy Fail CISA cybersecurity