PoC Released for DirtyDecrypt (CVE-2026-31635)

Proof-of-concept exploit code for DirtyDecrypt, tracked as CVE-2026-31635, has been published. The vulnerability was reported by security firms Zellic and V12 on May 9, 2026. Kernel maintainers responded that the issue duplicated a defect already fixed in the mainline kernel. The NIST National Vulnerability Database links the PoC to the CVE and lists a CVSS score of 7.5.

The fault is in rxgk_decrypt_skb(), the function that decrypts incoming socket buffers. A missing copy-on-write check in that code path allows writes to memory pages that remain shared with the kernel page cache. Luna Tong of Zellic wrote on GitHub: “It’s a rxgk pagecache write due to missing COW [copy-on-write] guard in rxgk_decrypt_skb.” When the kernel does not make a private copy before writing, the write can affect memory used by other processes or the page cache for read-only files.

Researchers say the primitive can be used to overwrite sensitive files such as /etc/shadow, /etc/sudoers or SUID binaries and then trigger code paths that lead to root privileges. The flaw affects Linux builds that enable CONFIG_RXGK, including some releases of Fedora, Arch Linux and openSUSE Tumbleweed. In containerized environments, a vulnerable host kernel could allow a compromised container to escape to the host.

Zellic assesses DirtyDecrypt as a variant of recent page-cache write defects. Related vulnerabilities include Copy Fail (CVE-2026-31431), Dirty Frag (CVE-2026-43284 and CVE-2026-43500) and Fragnesia (CVE-2026-46300). Copy Fail was disclosed April 29, 2026, and Dirty Frag followed with expanded write primitives. One researcher who built a public PoC after seeing a patch described the exploit as “n-day weaponization from a public upstream commit.” That researcher noted public commits can enable rapid development of working exploits once source changes are available.

Kernel developers and distribution maintainers have issued advisories and released patches where possible. Kernel developer Sasha Levin proposed a temporary “killswitch” mechanism to let an operator force a chosen kernel function to return a fixed value without executing its body. In the proposal Levin wrote that the change would take effect at runtime on every CPU until disabled or the system reboots.

Rocky Linux has announced an optional security repository intended to ship accelerated patches for narrow cases where a severe vulnerability is public and upstream fixes are not yet available. The maintainers said the repository is disabled by default and is not intended to replace the regular release process; future upstream releases will supersede any out-of-cycle patched kernels.

Administrators running affected kernels should apply available updates, consider rebuilding kernels without CONFIG_RXGK where feasible, and evaluate container workloads on vulnerable hosts. Security teams may prioritize patching or isolating nodes where an escape to host privileges would carry risk.

The kernel page cache stores file data in memory to speed access. Linux uses copy-on-write to prevent a write by one process from changing memory seen by others; a missing copy-on-write check lets a write modify shared pages instead of creating a private copy. Several cryptographic and networking subsystems have been implicated in similar page-cache corruption defects in recent months, producing multiple local privilege escalation vulnerabilities tracked and patched across distributions.