The DirtyDecrypt Vulnerability
Proof of concept exploit code has been released for a recently patched Linux kernel vulnerability that allows local privilege escalation. Tracked under a single identifier, the flaw was discovered by security researchers from Zellic and V12 on May 9, 2026, though kernel maintainers noted it was a duplicate of an already patched issue. The vulnerability, nicknamed DirtyDecrypt or DirtyCBC, resides in the rxgk_decrypt_skb function, which decrypts incoming socket buffers on the receive side.
How the Exploit Works
The core issue involves missing copy on write (COW) protections in the rxgk_decrypt_skb function. Normally, when the kernel writes to a memory page shared with another process, it creates a private copy first to prevent data bleeding between processes. Without this guard, an attacker can write data directly into the memory of privileged processes or into the page cache of sensitive files such as etc/shadow, /etc/sudoers, or SUID binaries. This direct write path enables local privilege escalation from an unprivileged user to root access.
Impact and Scope
The vulnerability only affects Linux distributions that have the CONFIG_RXGK kernel configuration option enabled. Affected distributions include Fedora, Arch Linux, and openSUSE Tumbleweed. In containerized environments, vulnerable worker nodes could allow an attacker to escape from a pod and gain root access on the host system. Researchers classify this flaw as a variant of several previous privilege escalation vulnerabilities, including Copy Fail and Fragnesia, all of which provide root access on vulnerable systems. Users should apply the available kernel patches immediately to mitigate the risk.
Source: The Hacker News
