{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3olinuxlinux_kernel6.16-/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","cpe:2.3:o:linux:linux_kernel:6.16:-:*:*:*:*:*:*","cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*"],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-31635"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Linux Linux_Kernel"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","lpe","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA local privilege escalation vulnerability, CVE-2026-31635, dubbed \u0026ldquo;DirtyDecrypt,\u0026rdquo; affects Linux kernels from version 6.10 to 6.13 when \u003ccode\u003eCONFIG_RXGK\u003c/code\u003e is enabled. This vulnerability resides in the \u003ccode\u003erxrpc\u003c/code\u003e subsystem\u0026rsquo;s \u003ccode\u003erxgk\u003c/code\u003e component. An unprivileged user can exploit the vulnerability to corrupt the page cache, leading to arbitrary file writes and, ultimately, root access. The public availability of a working exploit significantly increases the risk to vulnerable systems, potentially enabling attackers to gain elevated privileges and compromise affected Linux systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unprivileged local user gains access to the target Linux system.\u003c/li\u003e\n\u003cli\u003eThe attacker enters a user and network namespace.\u003c/li\u003e\n\u003cli\u003eThe attacker adds an RXGK key to the keyring using the \u003ccode\u003ekeyctl\u003c/code\u003e utility.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eAF_RXRPC\u003c/code\u003e sockets and \u003ccode\u003esplice()\u003c/code\u003e to force page cache pages into the RXGK decryption path.\u003c/li\u003e\n\u003cli\u003eThis triggers in-place AES-CBC decryption without \u003ccode\u003eskb_cow_data()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe in-place decryption corrupts the target file (\u003ccode\u003e/etc/passwd\u003c/code\u003e) byte-by-byte using a sliding window technique.\u003c/li\u003e\n\u003cli\u003eThe attacker blanks the root password in \u003ccode\u003e/etc/passwd\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker spawns a root shell, gaining complete control of the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-31635 allows an unprivileged local user to gain root privileges on the affected system. This can lead to complete system compromise, data theft, and malicious activities. The vulnerability affects systems running Linux kernels between 6.10 and 6.13 with the \u003ccode\u003eCONFIG_RXGK\u003c/code\u003e option enabled. Common distributions such as Fedora, Arch Linux, and openSUSE Tumbleweed are potentially affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creations for the execution of binaries without a parent process, as this might indicate exploitation attempts (see \u0026ldquo;Detect DirtyDecrypt Exploit Execution\u0026rdquo; Sigma rule).\u003c/li\u003e\n\u003cli\u003eMonitor the execution of \u003ccode\u003ekeyctl\u003c/code\u003e for the addition of RXGK keys, as this is a prerequisite for the exploit to work (see \u0026ldquo;Detect RXGK Key Addition\u0026rdquo; Sigma rule).\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched Linux kernel version where CVE-2026-31635 is resolved.\u003c/li\u003e\n\u003cli\u003eDisable the \u003ccode\u003eCONFIG_RXGK\u003c/code\u003e option in the kernel configuration if \u003ccode\u003erxrpc\u003c/code\u003e functionality is not required.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T22:01:39Z","date_published":"2026-05-19T22:01:39Z","id":"https://feed.craftedsignal.io/briefs/2026-05-dirtydecrypt-lpe/","summary":"CVE-2026-31635, dubbed DirtyDecrypt, is a local privilege escalation vulnerability in the Linux kernel's rxrpc subsystem (rxgk component), allowing an unprivileged user to corrupt page cache and achieve arbitrary file writes, leading to root access on kernels 6.10 to 6.13 with CONFIG_RXGK enabled.","title":"Linux Kernel DirtyDecrypt Local Privilege Escalation (CVE-2026-31635)","url":"https://feed.craftedsignal.io/briefs/2026-05-dirtydecrypt-lpe/"}],"language":"en","title":"CraftedSignal Threat Feed — Cpe:2.3:o:linux:linux_kernel:6.16:-:*:*:*:*:*:*","version":"https://jsonfeed.org/version/1.1"}