Proof-of-concept code has been released for DirtyDecrypt, a Linux kernel flaw that can allow local privilege escalation on affected systems, according to a technical analysis from V12 Security. The issue is tied to CVE-2026-31635 and affects systems with CONFIG_RXGK enabled.
KEY FACTS
- Bug type A missing copy-on-write guard in rxgk_decrypt_skb
- Impact Local attackers could overwrite data in privileged memory or file page cache
- Affected systems Distributions with CONFIG_RXGK enabled, including Fedora, Arch Linux, and openSUSE Tumbleweed
- Related issue The flaw is described as a variant of earlier Linux privilege escalation bugs
The report says the bug sits in rxgk_decrypt_skb, which decrypts incoming socket buffers on the receive side. In the affected code path, the kernel can write to memory pages that are shared with other processes instead of making a private copy first.
That behavior can let data be written into the memory of privileged processes or into the page cache of sensitive files, including /etc/shadow, /etc/sudoers, or a SUID binary. The disclosure says the issue can lead to root access.
According to the report, containerized environments may also be exposed if worker nodes run a vulnerable kernel version. The same write-up places the flaw alongside earlier Linux privilege escalation issues known as Copy Fail, Dirty Frag, and Fragnesia.
Separately, Linux kernel developers are reviewing a proposed emergency killswitch that would let administrators disable a vulnerable kernel function at runtime until a patch is available. Rocky Linux also said it has added an optional security repository to speed delivery of urgent fixes in narrow cases where public exploits exist before coordinated upstream patches.
WHY IT MATTERS
The release of working code can shorten the time defenders have to patch systems that use the affected kernel feature. For administrators, the practical risk is that an unprivileged local account may be able to gain root privileges if vulnerable builds remain unpatched.