What Happened
Security researchers at Zellic and V12 Security published proof-of-concept exploit code today for CVE-2026-31635 (CVSS 7.5), a local privilege escalation (LPE) vulnerability in the Linux kernel dubbed DirtyDecrypt. The flaw resides in rxgk_decrypt_skb(), a function in the kernel’s rxgk network authentication subsystem. The bug is a missing copy-on-write (COW) guard: when the kernel decrypts incoming socket buffers through this code path, it writes to shared memory pages without first creating a private copy, as COW semantics require.
The practical outcome is that an unprivileged local user writes to privileged files in the kernel page cache — including /etc/shadow, /etc/sudoers, or any SUID binary — and elevate to root without any kernel exploit primitives beyond what the PoC provides. In containerized environments, worker nodes running a vulnerable kernel version represent a potential pod-escape path.
The vulnerability only affects distributions that build the kernel with CONFIG_RXGK enabled. Affected distributions include Fedora, Arch Linux, and openSUSE Tumbleweed. Ubuntu, Debian, RHEL, and most enterprise Linux distributions do not enable CONFIG_RXGK by default and are not affected by this specific variant.
DirtyDecrypt is the fourth variant in a closely related family. It follows Copy Fail (CVE-2026-31431), Dirty Frag (CVE-2026-43284 and CVE-2026-43500), and Fragnesia (CVE-2026-46300), all of which exploit different page-cache write primitives to achieve the same root access outcome. The Linux kernel community is now reviewing a proposed runtime “killswitch” mechanism that would let administrators disable vulnerable kernel functions until patches arrive.
Why This Matters for Canadian Organizations
Canadian organizations running Fedora, Arch Linux, or openSUSE Tumbleweed in any capacity — developer workstations, CI/CD build agents, containerized cloud workloads, or internal infrastructure — face an immediate local privilege escalation risk with a public and functional exploit in the wild.
The broader concern is the velocity of this vulnerability family. Four page-cache write LPE bugs have been disclosed within a span of three weeks, all with working PoC code. The Copy Fail variant (CVE-2026-31431) was added to the CISA Known Exploited Vulnerabilities catalog with evidence of active exploitation. DirtyDecrypt has not yet been added to KEV, but with a public PoC released today, the window between disclosure and active exploitation in opportunistic campaigns is measured in hours, not days.
For Canadian cloud teams running containerized workloads on affected distributions, this is a pod-escape risk. An attacker who gains initial access to a container running on a vulnerable node has a path to root on the underlying host. Canadian organizations subject to PIPEDA breach notification obligations or OSFI B-13 third-party risk requirements should treat any confirmed exploitation as a reportable event given the scope of data access a root compromise provides.
Security teams using Rocky Linux should note that Rocky Linux has introduced an optional accelerated security repository specifically designed to ship urgent fixes for this vulnerability family ahead of upstream patch availability.
What to Do
Identify all systems in your environment running Fedora, Arch Linux, or openSUSE Tumbleweed and determine whether CONFIG_RXGK is enabled (run grep CONFIG_RXGK /boot/config-$(uname -r)). Apply available distribution patches immediately — Fedora, Arch, and openSUSE have all issued advisories. If patches are not yet available, consider disabling the rxgk kernel module as a temporary mitigation. For containerized workloads, audit which worker nodes run affected kernel versions and prioritize kernel upgrades on those nodes. Review the CISA KEV catalog for updates on this vulnerability family, as active exploitation has already been confirmed for related variants. Log all privilege escalation events on affected systems and treat any unexplained root activity as a potential indicator of compromise.
Source: The Hacker News
