DirtyDecrypt: Linux Kernel Vulnerability Enables Local Privilege Escalation to Root
A newly disclosed high-severity Linux kernel vulnerability, DirtyDecrypt (CVE-2026-31635), allows local attackers to gain full root access on affected systems. The flaw, attributed to a missing copy-on-write (COW) guard in the rxgk_decrypt_skb() function of the RxGK subsystem, enables unprivileged users to overwrite privileged memory pages including critical files like /etc/shadow, /etc/sudoers, or SUID binaries by decrypting crafted socket buffers.
The issue was reported on May 9, 2026, by security researcher V12, who described it as an "rxgk pagecache write due to missing COW guard." Kernel maintainers later confirmed it as a duplicate of an internally patched flaw, with the fix merged upstream on April 25, 2026.
Affected Systems
DirtyDecrypt impacts Linux distributions that compile the kernel with CONFIG_RXGK=y or CONFIG_RXGK=m, primarily rolling-release versions:
- Fedora (including Rawhide and Workstation, pre-patch)
- Arch Linux (before
pacman -Syu) - openSUSE Tumbleweed (before
zypper dup) - Systems using mainline kernel PPAs or ELRepo kernel-ml on RHEL/CentOS Stream
Stable enterprise distributions (Debian Stable, RHEL 8/9, Ubuntu LTS) are not affected by default, as they ship with RxGK disabled. Administrators can verify exposure via:
zcat /proc/config.gz | grep RXGK
Exploitation Risks
The vulnerability poses a critical threat in containerized environments, where a successful exploit on a Kubernetes worker node could lead to a full container escape. Attackers gaining root on the host would access all pods, container runtime sockets, and Kubernetes secrets mounted on the node.
High-risk targets include:
- Developer workstations (Fedora/Arch) with active
kubectlcontexts - Systems storing AWS credentials or SSH keys
- Enterprise production environments
DirtyDecrypt is the fourth Linux kernel local privilege escalation (LPE) flaw in the XFRM/ESP/rxgk attack surface within three weeks, following the actively exploited Copy Fail family of vulnerabilities.
Mitigation
The primary fix is updating the kernel to include the April 25 patch:
# Fedora
sudo dnf upgrade --refresh kernel kernel-core kernel-modules && sudo systemctl reboot
# Arch Linux
sudo pacman -Syu linux linux-headers && sudo systemctl reboot
# openSUSE Tumbleweed
sudo zypper dup && sudo systemctl reboot
For systems unable to patch immediately, blacklisting rxrpc, esp4, and esp6 kernel modules provides a temporary workaround though this may disrupt IPsec VPNs and AFS mounts.
Kubernetes operators should rebuild worker node images with the patched kernel and enforce pod security standards (e.g., restricted profile, allowPrivilegeEscalation: false). Given the availability of public proof-of-concept (PoC) code, users on affected distributions are advised to prioritize updates.
Source: https://cybersecuritynews.com/dirtydecrypt-linux-kernel-vulnerability/
openSUSE Project cybersecurity rating report: https://www.rankiteo.com/company/opensuse-project
"id": "OPE1779215638",
"linkid": "opensuse-project",
"type": "Vulnerability",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Users of Fedora Rawhide, '
'Workstation (pre-patch)',
'industry': 'Technology/Software',
'location': 'Global',
'name': 'Fedora',
'type': 'Linux Distribution'},
{'customers_affected': 'Users of Arch Linux (pre-patch)',
'industry': 'Technology/Software',
'location': 'Global',
'name': 'Arch Linux',
'type': 'Linux Distribution'},
{'customers_affected': 'Users of openSUSE Tumbleweed '
'(pre-patch)',
'industry': 'Technology/Software',
'location': 'Global',
'name': 'openSUSE Tumbleweed',
'type': 'Linux Distribution'},
{'customers_affected': 'Kubernetes worker nodes with '
'affected kernels',
'industry': 'Technology/Cloud',
'location': 'Global',
'name': 'Kubernetes Environments',
'type': 'Container Orchestration'}],
'attack_vector': 'Local',
'customer_advisories': 'Users on affected distributions (Fedora, Arch Linux, '
'openSUSE Tumbleweed) advised to prioritize kernel '
'updates due to public PoC availability.',
'data_breach': {'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (Personally Identifiable '
'Information, authentication '
'credentials)',
'type_of_data_compromised': ['/etc/shadow',
'Kubernetes secrets',
'AWS credentials',
'SSH keys']},
'date_detected': '2026-05-09',
'date_publicly_disclosed': '2026-05-09',
'date_resolved': '2026-04-25',
'description': 'A newly disclosed high-severity Linux kernel vulnerability, '
'DirtyDecrypt (CVE-2026-31635), allows local attackers to gain '
'full root access on affected systems. The flaw is attributed '
'to a missing copy-on-write (COW) guard in the '
'rxgk_decrypt_skb() function of the RxGK subsystem, enabling '
'unprivileged users to overwrite privileged memory pages '
'including critical files like /etc/shadow, /etc/sudoers, or '
'SUID binaries by decrypting crafted socket buffers.',
'impact': {'identity_theft_risk': 'High (access to /etc/shadow, Kubernetes '
'secrets, AWS credentials, SSH keys)',
'operational_impact': 'Full root access on affected systems; '
'potential container escape in Kubernetes '
'environments',
'systems_affected': 'Linux systems with CONFIG_RXGK=y or '
'CONFIG_RXGK=m'},
'investigation_status': 'Resolved (fix merged upstream on April 25, 2026)',
'lessons_learned': 'Critical need for timely kernel updates in '
'rolling-release distributions; heightened risk of '
'container escapes in Kubernetes environments due to LPE '
'vulnerabilities.',
'post_incident_analysis': {'corrective_actions': 'Kernel patch to add COW '
'guard; blacklisting '
'vulnerable modules as '
'temporary workaround',
'root_causes': 'Missing copy-on-write (COW) guard '
'in rxgk_decrypt_skb() function of '
'the RxGK subsystem'},
'recommendations': ['Update kernel to the patched version immediately',
'Blacklist rxrpc, esp4, and esp6 modules if patching is '
'not feasible',
'Rebuild Kubernetes worker node images with the patched '
'kernel',
'Enforce pod security standards (e.g., restricted '
'profile, allowPrivilegeEscalation: false)'],
'references': [{'source': 'Security Researcher V12'},
{'source': 'Linux Kernel Maintainers'}],
'response': {'containment_measures': 'Kernel update, blacklisting '
'rxrpc/esp4/esp6 modules',
'recovery_measures': 'Rebuild Kubernetes worker node images with '
'patched kernel',
'remediation_measures': 'Update kernel to patched version (April '
'25, 2026 fix)'},
'title': 'DirtyDecrypt: Linux Kernel Vulnerability Enables Local Privilege '
'Escalation to Root',
'type': 'Local Privilege Escalation (LPE)',
'vulnerability_exploited': 'CVE-2026-31635 (Missing COW guard in '
'rxgk_decrypt_skb() function)'}