A new vulnerability in the Linux kernel’s rxgk module could let attackers gain root access on some systems. This flaw has a proof-of-concept exploit named DirtyDecrypt, also referred to as DirtyCBC. Researchers from Delphos Labs and V12 security discovered it, but maintainers said it was already patched elsewhere.
V12 noted they reported this issue on May 9, emphasizing it was due to a missing guard in the kernel code. A detailed technical write-up by Delphos Labs’ researcher Kamil Leoniak was released shortly after, diving into the specifics of the vulnerability.
Although there’s no official CVE ID for this flaw, it resembles details found in CVE-2026-31635, which was patched on April 25. To exploit this, the Linux kernel needs the CONFIG_RXGK configuration option enabled. This setting is primarily found in distributions like Fedora, Arch Linux, and openSUSE Tumbleweed.
Testing showed that V12’s exploit worked on Fedora and the mainline Linux kernel. DirtyDecrypt shares its category with other root escalation vulnerabilities like Dirty Frag and Copy Fail, which have been recently disclosed.
Linux users on affected distributions should install the latest kernel updates promptly. If you can’t apply the updates right away, using a temporary mitigation method can help counter potential risks, though it may disrupt some network functions.
The urgency of addressing these vulnerabilities is highlighted by recent evidence of attackers exploiting the Copy Fail vulnerability actively. The Cybersecurity and Infrastructure Security Agency (CISA) recently added Copy Fail to its list of actively exploited vulnerabilities, urging federal agencies to secure their systems swiftly.
Cybersecurity experts have noted that such vulnerabilities are common attack vectors. “Malicious actors often target these weaknesses, which can lead to serious risks,” stated Will Dormann, a principal vulnerability analyst. This reality underscores the importance of timely responses to security threats in the ever-evolving landscape of cyber threats.
This vulnerability is part of a trend, showing increased scrutiny of Linux systems. In April, another root-privilege escalation vulnerability, Pack2TheRoot, was patched after being unnoticed for nearly 12 years. Keeping systems updated is crucial to safeguarding against potential exploits.
For more information, Delphos Labs has published a comprehensive write-up on their findings regarding DirtyCBC here.
