Linux Linux_Kernel — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/linux-linux_kernel/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 19 May 2026 22:01:39 +0000Linux Kernel DirtyDecrypt Local Privilege Escalation (CVE-2026-31635)https://feed.craftedsignal.io/briefs/2026-05-dirtydecrypt-lpe/Tue, 19 May 2026 22:01:39 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-dirtydecrypt-lpe/CVE-2026-31635, dubbed DirtyDecrypt, is a local privilege escalation vulnerability in the Linux kernel's rxrpc subsystem (rxgk component), allowing an unprivileged user to corrupt page cache and achieve arbitrary file writes, leading to root access on kernels 6.10 to 6.13 with CONFIG_RXGK enabled.A local privilege escalation vulnerability, CVE-2026-31635, dubbed “DirtyDecrypt,” affects Linux kernels from version 6.10 to 6.13 when CONFIG_RXGK is enabled. This vulnerability resides in the rxrpc subsystem’s rxgk component. An unprivileged user can exploit the vulnerability to corrupt the page cache, leading to arbitrary file writes and, ultimately, root access. The public availability of a working exploit significantly increases the risk to vulnerable systems, potentially enabling attackers to gain elevated privileges and compromise affected Linux systems.

Attack Chain

  1. An unprivileged local user gains access to the target Linux system.
  2. The attacker enters a user and network namespace.
  3. The attacker adds an RXGK key to the keyring using the keyctl utility.
  4. The attacker uses AF_RXRPC sockets and splice() to force page cache pages into the RXGK decryption path.
  5. This triggers in-place AES-CBC decryption without skb_cow_data().
  6. The in-place decryption corrupts the target file (/etc/passwd) byte-by-byte using a sliding window technique.
  7. The attacker blanks the root password in /etc/passwd.
  8. The attacker spawns a root shell, gaining complete control of the system.

Impact

Successful exploitation of CVE-2026-31635 allows an unprivileged local user to gain root privileges on the affected system. This can lead to complete system compromise, data theft, and malicious activities. The vulnerability affects systems running Linux kernels between 6.10 and 6.13 with the CONFIG_RXGK option enabled. Common distributions such as Fedora, Arch Linux, and openSUSE Tumbleweed are potentially affected.

Recommendation

  • Monitor process creations for the execution of binaries without a parent process, as this might indicate exploitation attempts (see “Detect DirtyDecrypt Exploit Execution” Sigma rule).
  • Monitor the execution of keyctl for the addition of RXGK keys, as this is a prerequisite for the exploit to work (see “Detect RXGK Key Addition” Sigma rule).
  • Upgrade to a patched Linux kernel version where CVE-2026-31635 is resolved.
  • Disable the CONFIG_RXGK option in the kernel configuration if rxrpc functionality is not required.
]]>highadvisoryprivilege-escalationlpelinux