Advisories 19 May 2026 / 0 Comments

DirtyDecrypt (DirtyCBC) – Linux Kernel rxgk Missing COW Guard Grants Root Access (CVE-2026-31635)

Scope: Linux Kernel with CONFIG_RXGK Enabled (Fedora, Arch Linux, openSUSE Tumbleweed)

Severity: Red

DirtyDecrypt also known as DirtyCBC is the fourth Linux kernel local privilege escalation in the same XFRM/ESP/rxgk attack surface within three weeks, belonging to the same vulnerability class as the actively exploited Copy Fail family. The V12 security team independently discovered and reported a missing copy-on-write guard in the rxgk_decrypt_skb function, allowing arbitrary writes into the kernel page cache of read-only files on any system compiled with CONFIG_RXGK, a condition present by default on Fedora, Arch Linux, and openSUSE Tumbleweed with a public proof-of-concept already available that reliably grants root. Although the mainline kernel fix was merged on April 25, 2026 as CVE-2026-31635, many distributions have not yet shipped patched kernels, leaving a significant window of active risk. Organizations should verify their running kernel was built on or after April 26, 2026; where patching is delayed, blacklist the esp4, esp6, and rxrpc modules as an interim measure, noting this breaks IPsec VPNs and AFS connectivity.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.

DirtyDecrypt (DirtyCBC) – Linux Kernel rxgk Missing COW Guard Grants Root Access (CVE-2026-31635)

Four Malicious npm Packages Delivering Infostealers and Phantom Bot DDoS Malware

Recent Advisories

Categories

Contact info

Useful Links

Subscribe to our Mailing List

DirtyDecrypt (DirtyCBC) – Linux Kernel rxgk Missing COW Guard Grants Root Access (CVE-2026-31635)

RELATED ADVISORIES

Four Malicious npm Packages Delivering Infostealers and Phantom Bot DDoS Malware

Recent Advisories

Categories