A recently patched local privilege escalation vulnerability in the **Linux** kernel's rxgk module now has a proof-of-concept exploit that allows attackers to gain root access on some **Linux** systems. ### DirtyDecrypt Details Named DirtyDecrypt and also known as DirtyCBC, this security flaw was autonomously found and reported by the **V12** security team earlier this month, when the maintainers informed them that it was a duplicate that had already been patched in the mainline. "We found and reported this on May 9, 2026, but was informed it was a duplicate by the maintainers," **V12** said. "It's a rxgk pagecache write due to missing COW guard in rxgk_decrypt_skb. See poc.c for more details." While there is no official **CVE** ID associated with this security flaw, according to **Will Dormann** (principal vulnerability analyst at **Tharros**), the information from the security researchers aligns with the details of **CVE-2026-31635**, which was patched on April 25. ### Attack Surface Successful exploitation requires running a **Linux** kernel with the `CONFIG_RXGK` configuration option, which enables RxGK security support for the Andrew File System (**AFS**) client and network transport. This limits the attack surface to **Linux** distributions that closely follow the latest upstream kernel releases, including **Fedora**, **Arch Linux**, and **openSUSE Tumbleweed**. However, **V12's** proof-of-concept exploit has only been tested against **Fedora** and the mainline **Linux** kernel.  *DirtyDecrypt exploit Fedora test (Will Dormann)* ### Similar Vulnerabilities DirtyDecrypt belongs to the same vulnerability class as several other root-escalation flaws disclosed in recent weeks, including Dirty Frag, Fragnesia, and Copy Fail. ### Mitigation **Linux** users on distros potentially affected by DirtyDecrypt are advised to install the latest kernel updates as soon as possible. However, those who can't immediately patch their devices should use the same mitigation used for Dirty Frag (however, this will also break IPsec VPNs and **AFS** distributed network file systems): sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true" ### Active Exploitation These disclosures follow recent reports that attackers are now actively exploiting the Copy Fail vulnerability in the wild. The **Cybersecurity and Infrastructure Security Agency (CISA)** added Copy Fail to its list of flaws exploited in attacks on May 1 and ordered federal agencies to secure their **Linux** devices within two weeks, by May 15. "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," the U.S. cybersecurity agency warned. In April, **Linux** distros rolled out patches for another root-privilege escalation vulnerability (dubbed Pack2TheRoot) in the PackageKit daemon that had gone unnoticed for almost 12 years.