Overview
- DirtyDecrypt, which received public proof-of-concept code Tuesday, enables a local user to gain root by writing into protected memory.
- The bug stems from a missing copy-on-write guard in rxgk_decrypt_skb within the RxGK security layer for the RxRPC protocol, allowing writes into the page cache of privileged files like /etc/shadow or into memory used by privileged processes.
- Impact is limited to kernels compiled with CONFIG_RXGK, including builds used by Fedora, Arch Linux, and openSUSE Tumbleweed, and vulnerable container worker nodes could let an attacker escape a pod.
- Zellic and V12 reported the issue on May 9 after maintainers had already fixed it in mainline in April, and NVD records tie it to CVE-2026-31635 with a CVSS score of 7.5.
- Kernel developers are weighing a runtime “killswitch” to disable vulnerable functions as a stopgap, and Rocky Linux introduced an opt-in security repository to ship urgent fixes faster.