Vulnerability Details
A newly disclosed Linux kernel vulnerability, nicknamed DirtyDecrypt, allows local attackers to escalate privileges to root on affected systems. The flaw exists in the rxgk_decrypt_skb() function within the RxGK subsystem, which provides GSS-API based security for the RxRPC network transport used by the Andrew File System (AFS) client. The root cause is a missing copy-on-write guard that causes the kernel to write directly to a shared page-cache page during socket buffer decryption without creating a private copy first. This unguarded write can target memory belonging to privileged processes or the page cache of sensitive files such as /etc/shadow and /etc/sudoers, enabling a local unprivileged user to corrupt and overwrite those pages to achieve root access.
Impact and Scope
The vulnerability primarily affects rolling-release distributions that closely track upstream kernel development, including Fedora Rawhide, Arch Linux, and openSUSE Tumbleweed. Systems using mainline kernel PPAs or ELRepo kernel-ml on RHEL/CentOS Stream are also at risk. Stable enterprise distributions such as Debian Stable, RHEL 8/9, and Ubuntu LTS ship with RxGK disabled and are generally not affected by default. The threat is particularly severe in container environments: on a Kubernetes worker node running a vulnerable kernel, successful exploitation could enable a full container escape, granting root access to every pod, container runtime socket, and Kubernetes secret on that node. A working proof-of-concept exploit has been released, and a patch was merged upstream in late April 2026. Administrators should check their kernel configuration by running zcat /proc/config.gz | grep RXGK to determine exposure.
Source: Cyber Security News
