DirtyDecrypt
A missing copy-on-write check in the Linux kernel's RxGK subsystem allows in-place decryption to write into page-cache pages backed by privileged files, enabling an unprivileged local attacker to overwrite those files and escalate to root.
Details
- Write-up
- https://github.com/v12-security/pocs/tree/main/dirtydecrypt
- CVEs
- CVE-2026-31635 CVSS 7.5
- Author
- V12
- Patch
- aa54b1d27fe0
The patch has not been included in a stable kernel release yet. Some distributions might have already backported it.
Timeline
- Reported to kernel maintainers, who identified it as a duplicate of a fix already staged for mainline
- Fix merged into mainline
- PoC published
Mitigation
Blacklist the rxrpc module
This will break AFS connectivity, which is not in use on most systems.
echo 'install rxrpc /bin/false' > /etc/modprobe.d/dirtydecrypt.conf
rmmod rxrpc 2>/dev/null