Proof-of-concept (PoC) exploit code has been published that could allow local privilege escalation (LPE) for a security flaw in the recently patched Linux kernel.
The vulnerability, known as DirtyDecrypt (also known as DirtyCBC), was discovered and reported by Zellic and the V12 security team on May 9, 2026, but was informed by the maintainer that it was a clone of a vulnerability that had already been patched in mainline.
“rxgk page cache write due to missing COW” [copy-on-write] rxgk_decrypt_skb,” Zellic co-founder Luna Tong (aka cts and gf_256) said in a description shared on GitHub.
Although the CVE identifier is not disclosed, the vulnerability in question is CVE-2026-31635 (CVSS score: 7.5), based on the fact that the CVE record in the NIST National Vulnerability Database (NVD) contains a link to the DirtyDecrypt PoC.
“The particular failure is in rxgk_decrypt_skb(), the function that decrypts the incoming sk_buff (socket buffer) on the receiver side,” Moselwal said.
“In this code path, the kernel processes a memory page that is partially shared with another process’s page cache. This is a normal Linux optimization protected by copy-on-write. As soon as a write to a shared page occurs, a private copy is created beforehand to ensure that the write does not affect another process’s data.”
The absence of this COW guard in rxgk_decrypt_skb means that data is written to the memory of a privileged process or, depending on the exploit path, to the page cache of privileged files (etc/shadow, /etc/sudoers, SUID binaries, etc.), leading to local privilege escalation.
DirtyDecrypt only affects distributions with CONFIG_RXGK enabled, such as Fedora, Arch Linux, and openSUSE Tumbleweed. In a containerized environment, worker nodes running vulnerable versions of Linux can provide a path to escape from the pod.
According to Zellic, this vulnerability has been assessed to be a variant of Copy Fail (CVE-2026-31431), Dirty Frag aka Copy Fail 2 (CVE-2026-43284 and CVE-2026-43500), and Fragnesia (CVE-2026-46300), all of which require root access to a vulnerable system. Allow access.
Copy Fail, a local privilege escalation flaw in the AF_ALG encrypted socket interface, was disclosed by researchers at Theori on April 29, 2026. A dirty flag followed a week later. Dirty Frag extends Copy Fail with two page cache write primitives.
However, the May 5 integrated patch for CVE-2026-43284 caused another researcher who was unaware of the embargo to analyze the details of the flaw and independently publish it, forcing security researcher Hyun Woo Kim to press ahead with the release as the agreed embargo expired prematurely.
“I read the commit, recognized the xfrm ESP-in-UDP MSG_SPLICE_PAGES no-COW path to the shared pipes page as an LPE primitive, and built a PoC,” said the researcher, who goes by the online aliases 0xdeadbeefnetwork and afflicted.sh. “This work is a n-day weaponization from public upstream commits, and this becomes standard practice once security-related fixes are added to the public tree.”
Fragnesia is another variant of Dirty Frag that affects the XFRM ESP-in-TCP subsystem. But the result is the same. Allows a local unprivileged attacker to modify the contents of read-only files in the kernel page cache and gain root privileges.
This development coincides with the discovery of an LPE flaw in the Linux PackageKit daemon (CVE-2026-41651 aka Pack2TheRoot, CVSS score: 8.8) and an improper privilege management flaw in the kernel that allows read by unprivileged local users (CVE-2026-46333 aka ssh-keysign-pwn, CVSS score: 5.5). Root-owned secrets, such as SSH private keys.
Various Linux distributions have released advisories regarding CVE-2026-46333 –
Kernel kill switch?
A flurry of new information has come to light over the past few weeks, prompting Linux kernel developers to consider proposing an emergency “kill switch” that would allow administrators to disable vulnerable kernel features at runtime until a patch for a zero-day vulnerability is available.
According to a proposal submitted by Linux kernel developer and maintainer Sasha Levin, “Killswitch allows privileged operators to cause selected kernel functions to return a fixed value without executing their bodies, as temporary mitigation for a security bug while an actual fix is prepared.”
“The function returns the value specified by the operator and nothing is executed in its place. There is no allow list or type checking of the return value. Once the kprobe layer accepts the symbol, killswitch fires it. Once fired, the change remains in effect on all CPUs until a “disengage“ is written or the system is rebooted.
Rocky Linux debuts security repository
Rocky Linux introduced an optional security repository. This allows distributions to quickly provide emergency security fixes, especially in scenarios where critical vulnerabilities become public before a tailored upstream fix arrives.
“Repositories are disabled by default. This is by design,” the maintainers said. “The default Rocky Linux experience is exactly what it’s always been: predictable, stable, and fully upstream compatible. Administrators who want access to accelerated fixes can opt in when they want.”
Security repositories specifically address “specific, narrow” cases where a critical vulnerability is publicly disclosed, exploit code exists, and an upstream patch is not yet available. Rocky Linux emphasizes that this is not a replacement for the normal release process.
“If we push a fix and upstream decides not to address it, the next upstream kernel release will supersede the patched version,” the maintainer added. “For users who have not version-locked their kernels, our fixes will no longer apply at that point. That’s the tradeoff we accepted when building this.”
Source link
