### DirtyDecrypt: Details and Impact The **DirtyDecrypt** vulnerability, reported by **Zellic** and **V12 security team**, stems from a missing copy-on-write (COW) guard in `rxgk_decrypt_skb`. According to **Luna Tong** (aka cts and gf_256) of Zellic, this oversight allows data to be written to the memory of privileged processes or the page cache of privileged files, such as `/etc/shadow`, `/etc/sudoers`, or SUID binaries. This can lead to local privilege escalation. As explained by Moselwal, `rxgk_decrypt_skb()` decrypts incoming socket buffers. The absence of a COW guard means that data can be written to memory pages shared with the page cache of other processes without creating a private copy first. ### Affected Systems **DirtyDecrypt** specifically affects Linux distributions with **CONFIG_RXGK** enabled, including **Fedora**, **Arch Linux**, and **openSUSE Tumbleweed**. In containerized environments, vulnerable worker nodes could provide an escape path from the pod. ### A Family of Flaws Zellic assesses **DirtyDecrypt** as a variant of vulnerabilities like **Copy Fail** (**CVE-2026-31431**), **Dirty Frag** (aka Copy Fail 2, **CVE-2026-43284** and **CVE-2026-43500**), and **Fragnesia** (**CVE-2026-46300**). These flaws all grant root access on vulnerable systems by exploiting weaknesses in memory management. **Copy Fail**, discovered by researchers at **Theori**, is a local privilege escalation flaw in the AF_ALG cryptographic socket interface. **Dirty Frag** expands on **Copy Fail** with two page-cache write primitives. Security researcher **Hyunwoo Kim** publicly disclosed details after a merged patch for **CVE-2026-43284** led another researcher (0xdeadbeefnetwork/afflicted.sh) to independently discover and publish details of the vulnerability. **Fragnesia** is another variant of **Dirty Frag**, impacting the XFRM ESP-in-TCP subsystem, leading to the same outcome: unprivileged local attackers can modify read-only file contents in the kernel page cache and gain root privileges. ### Other Recent Linux Kernel Vulnerabilities This vulnerability arrives alongside other recently disclosed LPE flaws, including one in the Linux **PackageKit** daemon (**CVE-2026-41651**, aka Pack2TheRoot) and an improper privilege management flaw in the kernel (**CVE-2026-46333**, aka ssh-keysign-pwn). The latter allows unprivileged local users to read root-owned secrets like SSH private keys. Various Linux distributions have released advisories for **CVE-2026-46333**: * [AlmaLinux](https://almalinux.org/blog/2026-05-15-ssh-keysign-pwn-cve-2026-46333/) * [Amazon Linux](https://explore.alas.aws.amazon.com/CVE-2026-46333.html) * [CloudLinux](https://blog.cloudlinux.com/ptrace-exit-race-cve-2026-46333-mitigation-and-kernel-update) * [Fedora](https://bodhi.fedoraproject.org/updates/FEDORA-2026-8b4a8d18d2) * [Gentoo](https://bugs.gentoo.org/show_bug.cgi?id=CVE-2026-46333) * [Red Hat](https://access.redhat.com/security/cve/cve-2026-46333) * [SUSE](https://www.suse.com/security/cve/CVE-2026-46333.html) * [Ubuntu](https://ubuntu.com/blog/ssh-keysign-pwn-linux-vulnerability-fixes-available) ### Kernel Killswitch Proposal The recent wave of kernel vulnerability disclosures has spurred discussion among Linux kernel developers about implementing an emergency "killswitch." This would allow administrators to disable vulnerable kernel functions at runtime until a patch is available. Linux kernel developer **Sasha Levin** proposed the "killswitch," which would allow a privileged operator to force a chosen kernel function to return a fixed value without executing its body. This would serve as a temporary mitigation for security bugs. ### Rocky Linux Security Repository **Rocky Linux** has introduced an optional security repository to deliver urgent security fixes quickly, especially when vulnerabilities are publicly known before upstream patches are available. This repository is disabled by default, maintaining the distribution's focus on stability and upstream compatibility. Administrators can opt-in to access these accelerated fixes when needed. This repository caters to specific cases where a significant vulnerability is public, exploit code exists, and upstream patches are not yet available. It is not intended as a replacement for the regular release process.