DirtyDecrypt / DirtyCBC local privilege escalation in Linux kernel RxRPC RXGK
CVE-2026-31635 is a Linux kernel vulnerability in the RxRPC RXGK authentication path, publicly referred to as DirtyDecrypt or DirtyCBC. The upstream fix states that rxgk_verify_response() decodes auth_len from an incoming RESPONSE packet and is intended to verify that the authenticator length fits within the remaining packet payload. That validation was inverted, so oversized RESPONSE authenticators were accepted and passed to rxgk_decrypt_skb(). The resulting impossible length can propagate into skb_to_sgvec()/__skb_to_sgvec(), triggering a kernel BUG_ON(len) and causing a crash. Supporting reporting also associates this issue with a missing copy-on-write guard in rxgk_decrypt_skb(), enabling writes into shared page-cache-backed memory during decryption and turning the bug into a local privilege-escalation primitive on affected systems. The issue affects kernels with RXGK support enabled, and reporting indicates it was introduced in kernel 6.16 and affects versions through stable releases before 6.18.23.
Impact, mitigation & remediation
What it means. What to do now. For analysts and engineers who need to decide and keep moving.
Impact
What an attacker gets — and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (2 hidden).
This repository is a small standalone local privilege escalation exploit consisting of one C source file and a minimal README. The main file, CVE-2026-31635.c, claims to target CVE-2026-31635 ('DirtyDecrypt'), described as a Linux kernel flaw involving a missing COW guard in rxgk_decrypt_skb(). The exploit is not part of a larger framework. Structure and behavior: the program starts in main(), checks that it is not already running as root, prints the kernel version using 'uname -r', and warns that the target system must support CONFIG_RXGK=y. It then creates new user and network namespaces using clone(CLONE_NEWUSER|CLONE_NEWNET). Inside the child namespace it writes to /proc/self/uid_map and /proc/self/setgroups, then sets up an AF_RXRPC socket and adds an RXGK key with description 'rxgk:127.0.0.1'. The socket is bound to loopback (127.0.0.1) using a sockaddr_rxrpc structure. Exploit capability: after setup, it loads /etc/passwd into page cache, reads its current contents, checks whether a 'dirtyroot' account already exists, and then attempts to append the hardcoded payload 'dirtyroot::0:0:root:/root:/bin/bash\n' one byte at a time by repeatedly calling trigger_decrypt(), which sends crafted data through sendmsg() on the AF_RXRPC socket. If verification succeeds, it reports success and attempts privilege use in two ways: first by invoking 'su dirtyroot -c 'whoami && exec /bin/bash'', then by directly trying setuid(0)/setgid(0) and execing interactive shells from common paths. Overall purpose: this is an operational local kernel LPE proof-of-concept with a built-in post-exploitation payload. It does not merely detect vulnerability; it attempts actual privilege escalation by modifying /etc/passwd and obtaining an interactive root shell. There are no external C2 endpoints or remote network targets beyond local loopback and kernel interfaces used to trigger the vulnerability.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles against your asset inventory in the product.
Recent activity
43 sources tracked across advisories, community write-ups, and news. Mallory keeps watching after this page renders.
A Linux kernel local privilege escalation vulnerability caused by a missing copy-on-write guard in rxgk_decrypt_skb, allowing writes to shared page-cache pages and potentially enabling root access.
A high-severity Linux kernel local privilege escalation vulnerability in the RxGK subsystem caused by a missing copy-on-write guard in rxgk_decrypt_skb(), allowing local unprivileged users to corrupt privileged memory or page-cache-backed files and gain root access.
A Linux kernel local privilege escalation vulnerability caused by a missing copy-on-write guard in rxgk_decrypt_skb(), enabling writes into privileged process memory or privileged file page cache.
A Linux kernel local privilege escalation vulnerability in the RxRPC subsystem that can lead to root access through memory corruption involving rxgk_verify_response()/rxgk_decrypt_skb() logic.
See the full picture, correlated to your attack surface.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules — auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.