A working proof-of-concept exploit for a dangerous Linux kernel flaw called DirtyDecrypt is now publicly available. Attackers can use it to gain full root access on vulnerable Linux systems. With similar flaws already being exploited in real-world attacks, security experts say there is no time to waste.
What DirtyDecrypt Is and How It Works
DirtyDecrypt, also known as DirtyCBC, is a local privilege escalation vulnerability buried inside the Linux kernel’s rxgk module.
The flaw exists because of a missing Copy-On-Write (COW) guard inside a function called rxgk_decrypt_skb. That gap allows an attacker with local system access to write to pagecache memory they should never touch, ultimately opening a path to full root control over the machine.
The V12 security team independently discovered and reported this flaw on May 9, 2026. When they contacted the Linux kernel maintainers, they were told the bug was already patched upstream as a duplicate of a previously known issue.
“We found and reported this on May 9, 2026, but was informed it was a duplicate by the maintainers,” V12 stated. “It’s a rxgk pagecache write due to missing COW guard in rxgk_decrypt_skb. See poc.c for more details.”
While no official CVE ID has been assigned directly to DirtyDecrypt, principal vulnerability analyst Will Dormann at Tharros confirmed the flaw lines up precisely with CVE-2026-31635, which was patched in the Linux mainline on April 25, 2026.
Which Linux Distros Face the Real Risk
Not every Linux system is in danger. Successful exploitation requires the target machine to be running a Linux kernel compiled with the CONFIG_RXGK configuration option. This setting enables RxGK security support for the Andrew File System (AFS) client and its underlying network transport.
Most mainstream distributions do not ship with this option turned on by default. The systems most exposed are those that closely track the latest upstream kernel releases.
The currently identified at-risk distributions are:
- Fedora
- Arch Linux
- openSUSE Tumbleweed
The V12 team’s proof-of-concept exploit has only been confirmed working on Fedora and the mainline Linux kernel so far. Testing on other distributions is still ongoing.
Users running enterprise-focused releases like Red Hat Enterprise Linux or Ubuntu LTS are likely at lower risk, as those builds typically do not enable CONFIG_RXGK out of the box. Still, system administrators should verify their kernel build flags to be certain.
DirtyDecrypt Joins a Dangerous 2026 Trend
DirtyDecrypt does not stand alone. It belongs to the same broad vulnerability class as a string of other Linux root escalation flaws researchers have uncovered in a short span of time this year.
Here is a clear breakdown of the related vulnerabilities discovered in 2026:
| Vulnerability | Current Status | Key Notes |
|---|---|---|
| DirtyDecrypt (DirtyCBC) | Patched, POC now public | Targets rxgk module |
| Dirty Frag | Patched | Shares mitigation with DirtyDecrypt |
| Fragnesia | Patched | Same vulnerability class |
| Copy Fail | Actively exploited in the wild | Added to CISA KEV on May 1, 2026 |
| Pack2TheRoot | Patched in April 2026 | Undetected for nearly 12 years |
The most alarming situation right now is Copy Fail, which attackers are already using in active, real-world attacks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Copy Fail to its Known Exploited Vulnerabilities catalog on May 1, 2026. Federal agencies were ordered to patch their Linux systems within two weeks, setting a hard deadline of May 15, 2026.
CISA’s message was direct and firm. “This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” the agency warned.
The Pack2TheRoot case added its own shock to the situation. That root-privilege escalation bug sat undetected inside the PackageKit daemon for nearly 12 years before researchers caught it in April 2026. The pace of these discoveries makes clear that attackers and researchers are both digging deep into Linux kernel code right now.
How to Secure Your Linux System Right Now
The most effective fix is straightforward. Install the latest kernel updates for your Linux distribution without delay. Users on Fedora, Arch Linux, and openSUSE Tumbleweed should check their update managers and apply any available kernel patches today.
For those who cannot patch immediately, a temporary workaround is available. It is the same mitigation command used for the Dirty Frag vulnerability. However, applying it will disable IPsec VPNs and AFS distributed network file systems on your machine as a side effect.
Run this command in your terminal to block the vulnerable kernel modules:
sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true"
This command prevents the vulnerable modules from loading at all, cutting off the attack path before it can be used against your system.
Enterprise and production environment admins should review the network trade-offs carefully before running this workaround. If IPsec VPNs are critical to your operations, coordinate with your security team before applying it.
A proper kernel patch is always the cleaner and more reliable long-term fix.
DirtyDecrypt is another sharp reminder that even one of the most trusted operating systems in the world is not immune to serious security gaps. With a live exploit now out in the open and Copy Fail already being weaponized in real attacks, the Linux security landscape is moving fast in 2026. The discovery of Pack2TheRoot, a flaw that hid for nearly 12 years, only deepens the concern about what else might still be lurking. Every unpatched system is a door left open. Update now, verify your kernel configuration, and do not wait for attackers to walk in first. What do you think about the growing wave of Linux kernel vulnerabilities being discovered in 2026? Drop your thoughts in the comments below.
