← All articles

DirtyDecrypt Linux kernel root escalation PoC released - rxgk pagecache write affects Fedora, Arch, openSUSE Tumbleweed

A working proof-of-concept exploit for a recently patched Linux kernel local privilege escalation is now public. Researchers at V12 found the bug in May and were told it had already been fixed in the mainline kernel on April 25, matching CVE-2026-31635 per Tharros analyst Will Dormann. The flaw is a missing copy-on-write check in rxgk_decrypt_skb, the kernel routine that decrypts RxGK packets for the Andrew File System. Exploitation requires CONFIG_RXGK, limiting impact to leading-edge distros like Fedora, Arch Linux, and openSUSE Tumbleweed. DirtyDecrypt joins Dirty Frag, Fragnesia, and Copy Fail in a recent wave of Linux LPE disclosures.

Check
Run 'uname -r' across your Linux fleet, flag hosts on Fedora, Arch, openSUSE Tumbleweed, or any mainline kernel with CONFIG_RXGK. Search audit logs for unexpected setuid execs since 2026-04-25.
Affected
Linux kernels built with CONFIG_RXGK enabled, primarily Fedora, Arch Linux, and openSUSE Tumbleweed. Distributions on long-term stable kernels (RHEL, Debian stable, Ubuntu LTS) are not typically affected.
Fix
Apply your distribution's latest kernel updates. Temporary mitigation (also breaks AFS and IPsec VPNs): blacklist esp4, esp6, and rxrpc via /etc/modprobe.d/, unload with rmmod, drop the page cache.