SECURITYWEEK reports that a proof-of-concept (PoC) for the DirtyDecrypt Linux kernel vulnerability is now available, with the exploit published by the V12 security team who discovered it earlier this month after fixes were rolled out in April. The flaw, dubbed DirtyDecrypt (aka DirtyCBC), is a missing copy-on-write guard in the rxgk_decrypt_skb component of the RxGK subsystem, a security class for the RxRPC network protocol used by the Andrew File System and OpenAFS.
According to V12, the vulnerability could allow oversized response authenticators to be written into the memory of privileged processes or the page cache of privileged files such as SUID binaries, potentially enabling root access. Tharros Labs’ Will Dormann notes that the underlying issue could be CVE-2026-31635, which has a CVSS score of 7.5, and the defect was disclosed on 24 April when patches were rolled out for mainline Linux builds.
The flaw only affects distributions with CONFIG_RXGK compiled in and enabled (for example Arch Linux, Fedora, and openSUSE), and the PoC is being shared publicly as researchers warn that, in container environments, any vulnerable worker node could provide attackers with a path to escape a pod. According to SecurityWeek, the exploit is linked to the broader family of CopyFail, DirtyFrag, and Fragnesia Linux kernel bugs, with related context including a separate CVE tracked as CVE-2026-46300.