Uncovering the DirtyDecrypt Linux Root Escalation Exploit: A Critical Security Vulnerability

Linux Kernel Vulnerability Allows Root Access on Some Systems

A local privilege escalation vulnerability in the Linux kernel’s rxgk module, recently patched, now has a proof-of-concept exploit that can give attackers root access on certain Linux systems.

Known as DirtyDecrypt or DirtyCBC, this security flaw was autonomously discovered and reported by the V12 security team. Despite reporting it on May 9, 2026, they were informed by maintainers that it was a duplicate issue that had already been addressed in the mainline.

Although there is no official CVE ID associated with this vulnerability, security researchers believe it aligns with CVE-2026-31635, which was patched on April 25.

Exploiting this vulnerability requires running a Linux kernel with the CONFIG_RXGK configuration option enabled, which supports RxGK security for the Andrew File System (AFS) client and network transport.

This vulnerability primarily affects Linux distributions following the latest upstream kernel releases, such as Fedora, Arch Linux, and openSUSE Tumbleweed. However, V12’s exploit has only been tested on Fedora and the mainline Linux kernel.

DirtyDecrypt is part of the same vulnerability class as other recent root-escalation flaws like Dirty Frag, Fragnesia, and Copy Fail.

Users of Linux distributions potentially impacted by DirtyDecrypt are urged to promptly install the latest kernel updates. For those unable to patch immediately, the same mitigation as Dirty Frag can be applied, although this may impact IPsec VPNs and AFS distributed network file systems.

These vulnerabilities come after reports of active exploits targeting the Copy Fail vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) has included Copy Fail in its list of exploited flaws, urging federal agencies to secure their Linux devices by May 15.

In April, Linux distributions released patches for another long-standing root-privilege escalation vulnerability in the PackageKit daemon, known as Pack2TheRoot, which had remained unnoticed for nearly 12 years.