-
A proof-of-concept exploit emerges for DirtyDecrypt, a vulnerability in the Linux kernel’s rxgk module that can give local attackers root access to affected systems.
-
This vulnerability affects any rolling release distribution, such as Fedora, Arch Linux, and openSUSE Tumbleweed, with the CONFIG_RXGK option configured for AFS client support.
-
System administrators should install the latest kernel updates immediately or use a module blacklist mitigation that disables vulnerable kernel modules, though this also breaks IPsec VPNs and AFS services.
Latest discoveries showed security researchers have released a proof-of-concept exploit for a recently patched Linux kernel vulnerability. The flaw, named DirtyDecrypt, allows local attackers to gain root access on affected systems.
The V12 security team found and reported this vulnerability on May 9. The team received an update from the Kernel distribution maintainers that this vulnerability had been fixed in the mainline version of the kernel as a duplicate report prior to the V12’s discovery.
For the exploit to be successful, there needs to be a running Linux kernel instance built with the CONFIG_RXGK configuration option set active. This setting activates RxGK security support for the Andrew File System client and network transport. The requirement limits potential attacks to specific Linux distributions.
DirtyDecrypt affects rolling release distributions like Fedora
The attack surface mainly consists of Linux distribution versions that are almost identical to the upstream kernel releases. For example, Fedora, Arch Linux, and openSUSE Tumbleweed are at the highest risk from this vulnerability. Developers have tested the proof-of-concept exploit of the V12 only against Fedora and the mainline Linux kernel.
Will Dormann, a Principal Vulnerabilities Analyst at Tharros, states that the findings of the security researchers support a type of vulnerability (CVE-2026-31635). The Linux kernel team released a fix to this vulnerability on April 25, this year, but there is no official CVE-ID during the disclosure period.
DirtyDecrypt is a part of the same vulnerability group as many other root-escalation faults revealed in recent weeks. These include Dirty Frag, Fragnesia, and Copy Fail – all these vulnerabilities allow attackers to bypass security restrictions and gain elevated privileges.
The security vulnerability relates to writing issues on the page cache due to a missing copy-on-write guard within the rxgk_decrypt_skb function. If someone were to exploit this vulnerability, they could write arbitrary data to kernel memory, resulting in total compromise of the system.
Linux users urged to install kernel updates immediately
System administrators should install the latest kernel updates as soon as possible, rolling release distributions like Fedora and Arch Linux have likely already received patched kernels. Users can check their distribution’s security advisories for specific update instructions.
For those who cannot immediately patch their devices, a mitigation exists. The same workaround used for Dirty Frag also blocks this vulnerability. However, this mitigation will break IPsec VPNs and AFS distributed network file systems.
The mitigation command disables the vulnerable kernel modules entirely. System administrators should apply this workaround only when absolutely necessary; the temporary fix blocks legitimate network services while protecting against the root escalation flaw.
The Cybersecurity and Infrastructure Security Agency warned about similar vulnerabilities in recent weeks. On May 1, CISA added Copy Fail to its catalog of flaws actively exploited in attacks. The agency ordered federal agencies to patch their Linux devices by May 15.
Recent Linux vulnerabilities highlight ongoing security challenges
The DirtyDecrypt disclosure follows a pattern of privilege escalation flaws affecting Linux systems. In April, Linux distributions rolled out patches for another root-privilege escalation vulnerability called Pack2TheRoot. That flaw had remained unnoticed in the PackageKit daemon for almost 12 years.
Attackers have already started actively exploiting the Copy Fail vulnerability in the wild. CISA warned that these types of vulnerabilities serve as frequent attack vectors for malicious cyber actors. They pose significant risks to federal enterprise systems and private networks alike.
The recent wave of Linux vulnerabilities affects different subsystems within the kernel. Dirty Frag and Fragnesia target networking components, while DirtyDecrypt focuses on the AFS client module. Every vulnerability requires certain conditions for exploitation; however, all will lead to the same end result, root privilege escalation.
System administrators should prioritize fixing the rolling release distributions that are running the latest kernel versions. Older enterprise distributions like RHEL and Ubuntu LTS may not include the vulnerable configuration option. Still, security teams, as always, should assess the situation and apply patches after their release.
The availability of the proof-of-concept exploit to the public gives higher priority to patching. Attackers can now tailor their attacks with the exploit to achieve their own desired malicious ends. Organizations unable to patch immediately should have a temporary solution through the use of the module’s illegal mitigation.
The DirtyDecrypt vulnerability joins a growing list of critical infrastructure flaws. Millions of websites remain at risk from a cPanel authentication bypass, a reminder that system administrators must stay vigilant across all layers of their hosting environment.
