Proof-of-concept (PoC) code is now available for another Linux kernel vulnerability that could allow attackers to elevate their privileges to root.
Dubbed DirtyDecrypt (aka DirtyCBC), the exploit comes from the V12 security team, which discovered it earlier this month, after fixes were rolled out in April.
The V12 team has not shared a CVE identifier for the security defect, but noted that it is a missing copy-on-write (COW) guard in the rxgk_decrypt_skb component of the RxGK subsystem.
RxGK is a security class for the RxRPC network protocol used by the Andrew File System (AFS) and OpenAFS, which relies on the GSSAPI framework to provide authentication, confidentiality, and integrity protection.
Due to the missing COW guard, oversized response authenticators are accepted, which results in data being written to the memory of privileged processes or to the page cache of privileged files, such as SUID binaries, Moselwal notes.
As Tharros Labs senior principal vulnerability analyst Will Dormann points out, the underlying issue could be CVE-2026-31635 (CVSS score of 7.5), a Linux kernel vulnerability disclosed on April 24, when patches were rolled out for mainline Linux builds.
DirtyDecrypt only affects distributions that have CONFIG_RXGK compiled in and enabled, such as Arch Linux, Fedora, and openSUSE.
In container platforms, all worker nodes running a vulnerable distribution could provide attackers with a path to escape the pod, Moselwal says.
According to V12, the flaw is a variant of the recently identified CopyFail, DirtyFrag, and Fragnesia Linux kernel bugs, all of which grant root access on vulnerable systems.
Disclosed last week and officially tracked as CVE-2026-46300, Fragnesia affects the XFRM ESP-in-TCP subsystem. It allows attackers to overwrite sensitive system files and gain root privileges.
The Dirty Frag exploit published earlier this month chains two vulnerabilities in the Linux kernel, including one that affects the RxRPC component, to elevate privileges to root.
Copy Fail, which was disclosed in late April, enables an attacker to modify the in-memory copies of setuid-root binaries, providing root shell access. Threat actors started exploiting it shortly after disclosure.
Related: Researcher Drops MiniPlasma Windows Exploit for Unpatched 2020 CVE
Related: Exploitation of Critical NGINX Vulnerability Begins
Related: Google Detects First AI-Generated Zero-Day Exploit
Related: Over 40,000 Servers Compromised in Ongoing cPanel Exploitation
