High

A newly disclosed high-severity Linux kernel vulnerability, dubbed DirtyDecrypt (also known as DirtyCBC) and tracked as CVE-2026-31635, allows local attackers to escalate privileges and gain full root access on vulnerable systems. Security analyst linked the issue to a Linux kernel patch that was quietly merged upstream on April 25, 2026. The flaw exists within the rxgk_decrypt_skb() function of the RxGK subsystem, a GSS-API-based security mechanism used by RxRPC for the Andrew File System (AFS). Researchers explained that the vulnerability stems from a missing copy-on-write (COW) protection mechanism, causing the kernel to directly modify shared page-cache memory during packet decryption operations. This unsafe memory handling enables attackers to overwrite sensitive privileged memory pages and manipulate critical system files.

The exploitation impact of DirtyDecrypt is severe because attackers can corrupt files such as /etc/shadow, /etc/sudoers, or even SUID binaries, ultimately achieving complete root-level control over the affected machine. Researchers identified the vulnerability as “rxgk pagecache write due to missing COW guard in rxgk_decrypt_skb” and reported it to Linux maintainers in May 2026, only to discover that it duplicated an internally known and already patched issue. The flaw specifically affects Linux systems running kernels compiled with CONFIG_RXGK=y or CONFIG_RXGK=m, which are commonly found in rolling-release distributions closely tracking upstream kernel development.

Several major Linux distributions are exposed to the vulnerability prior to patching, including Fedora, Arch Linux, openSUSE Tumbleweed, and systems using mainline kernel PPAs or ELRepo kernel-ml packages on RHEL and CentOS Stream. In contrast, enterprise-focused distributions such as Debian Stable, Ubuntu LTS, and RHEL 8/9 are generally not vulnerable by default because the RxGK feature is disabled in their standard kernels. Administrators can determine exposure by checking kernel configurations using the command zcat /proc/config.gz | grep RXGK. The risk becomes significantly more dangerous in Kubernetes and containerized environments, where successful exploitation on a worker node can lead to full container escape, access to Kubernetes secrets, compromise of container runtime sockets, and broader cluster takeover.

Researchers warned that developer workstations running Fedora or Arch Linux are particularly attractive targets because they often store sensitive cloud credentials, active kubectl contexts, SSH keys, and AWS production profiles. DirtyDecrypt is also notable because it represents the fourth Linux kernel local privilege escalation vulnerability discovered within the same XFRM/ESP/RxGK attack surface in only three weeks, sharing similarities with the previously exploited “Copy Fail” vulnerability family. Security experts strongly recommend immediate kernel updates across affected systems. Temporary mitigations include blacklisting the rxrpc, esp4, and esp6 kernel modules, although doing so may disrupt IPsec VPN functionality and AFS services. Kubernetes administrators are additionally advised to rebuild worker node images using patched kernels and enforce strict pod security controls such as allowPrivilegeEscalation: false to reduce exploitation risk.