DIRTYDECRYPT (CVE-2026-31635) is a working PoC for a Linux kernel local privilege escalation, attributed to a missing copy-on-write guard in rxgk_decrypt_skb that decrypts incoming socket buffers. Discovered and reported on 9 May 2026 by the Zellic and V12 security teams, the flaw is described as a variant of the Copy Fail/DirtyFrag/Fragnesia family, with the National Vulnerability Database linking the PoC to CVE-2026-31635 (CVSS 7.5).
The exploit code is publicly available on GitHub, and the PoC description notes it targets a rxgk pagecache write due to the missing COW guard. The vulnerability resides in the function that handles decryption of sk_buff in the rxgk subsystem, potentially allowing a local attacker to write into memory belonging to privileged processes or into the page cache of sensitive files, ultimately enabling root privileges.
DirtyDecrypt does not affect all Linux systems; it impacts distributions where CONFIG_RXGK is enabled, including Fedora, Arch Linux, and openSUSE Tumbleweed, while standard Ubuntu or Debian installations are not affected.