DirtyDecrypt

CVE-2026-31635CVSS 7.5unreleased

A missing copy-on-write check in the Linux kernel's RxGK subsystem allows in-place decryption to write into page-cache pages backed by privileged files, enabling an unprivileged local attacker to overwrite those files and escalate to root.

Details

Write-up
https://github.com/v12-security/pocs/tree/main/dirtydecrypt
CVEs
CVE-2026-31635 CVSS 7.5
Author
V12
Patch
aa54b1d27fe0
The patch has not been included in a stable kernel release yet. Some distributions might have already backported it.

Timeline

  1. Reported to kernel maintainers, who identified it as a duplicate of a fix already staged for mainline
  2. Fix merged into mainline
  3. PoC published

Mitigation

Blacklist the rxrpc module

This will break AFS connectivity, which is not in use on most systems.

echo 'install rxrpc /bin/false' > /etc/modprobe.d/dirtydecrypt.conf
rmmod rxrpc 2>/dev/null

History