The Linux ecosystem has been destabilized by successive operational waves for several weeks; scarcely had the industry turbulence surrounding Copy Fail and Dirty Frag subsided when a novel vector for local privilege escalation materialized via a critical kernel defect designated as DirtyDecrypt. Although core maintainers have successfully merged a definitive remediation into the upstream source tree, the public dissemination of a functional Proof-of-Concept (PoC) exploit drastically elevates the risk profile for infrastructure fleets where security updates remain un-ingested.
The underlying vulnerability, cataloged as CVE-2026-31635, has been assigned a CVSS severity score of 7.5. Research cells from Zellic and V12 initially disclosed the anomaly on May 9, 2026, after which kernel maintainers indicated that the defect effectively duplicated a previously remediated structural flaw. Zellic co-founder Luna Tun characterized DirtyDecrypt—alternatively tracked under the moniker DirtyCBC—as an un-hedged memory write into the RxGK page cache that completely bypasses standard Copy-on-Write (CoW) isolation primitives.
The architectural flaw resides within the rxgk_decrypt_skb routine, a subroutine responsible for decrypting inbound socket buffers (sk_buff). Under standard kernel memory execution, Linux programmatically instantiates a discrete duplicate of a shared memory page prior to authorizing write operations, ensuring that data mutations executed by an individual process remain strictly isolated from adjacent process contexts. In this specific scenario, this defensive abstraction layer fails to trigger; consequently, an unprivileged adversary can directly corrupt the memory spaces of high-privilege system daemons or manipulate the cached state of mission-critical system files in the kernel, including /etc/shadow, /etc/sudoers, and privileged SUID binaries.
DirtyDecrypt exclusively afflicts Linux distributions compiled with the active kernel configuration parameter CONFIG_RXGK. Prominent among the vulnerable staging targets are upstream builds of Fedora, Arch Linux, and openSUSE Tumbleweed. Within virtualized container orchestration environments, a compromised worker node harboring this vulnerable kernel architecture could provide an adversary with the precise cryptographic and memory-resident leverage required to execute a deterministic container escape out of an isolated pod.
Zellic associates DirtyDecrypt with an evolving lineage of conceptually aligned page-cache anomalies, encompassing Copy Fail, Dirty Frag, and Fragnesia. This entire matrix of defects weaponizes an identical exploitation methodology: a local, unprivileged threat actor modifies the localized cache layers of read-only operating system files through the kernel page-cache layer, ultimately orchestrating an unhindered escalation to root privileges. Security researcher Hyunwoo Kim originally exposed the mechanics of Copy Fail, which catalyzed a secondary wave of derivative exploitation variants authored by adversaries reverse-engineering public code modifications merged into the upstream Linux kernel.
Against this backdrop of consecutive local privilege escalation vectors, core kernel architects are actively debating the implementation of a dynamic emergency mitigation circuit-breaker. Linux kernel maintainer Sasha Levin has proposed an architectural framework enabling administrators to temporarily deactivate selected kernel subsystems or modules at runtime, providing an immediate defensive hold while comprehensive, formal regression-tested patches are compiled upstream.
Concurrently, the Rocky Linux enterprise collective has charted an independent strategic path, establishing a specialized, out-of-band security repository tailored for expedited patch delivery. Disabled by default, this auxiliary update channel is engineered explicitly to address high-risk operational windows wherein a critical vulnerability has achieved public exposure alongside active exploitation code, but prior to the distribution of a mainstream stable upstream release.
