DirtyDecrypt reopens the threat: critical kernel cache failure allows you to climb to root in Linux

Public release of a proof-of-concept (PoC) for what is known as DirtyDecrypt - also labelled in some sources such as DirtyCBC - reignites the alarms on a chain of failures in the management of the kernel page cache that, locally exploited, allows to climb privileges up root on vulnerable Linux systems.

In essence, DirtyDecrypt derives from an omission of the copy mechanism when writing (copy-on-write, COW) within the function that unfolds incoming packages into a certain cryptographic kernel subsystem: when writing is done on pages that are shared with the cache page of other processes, the kernel must first create a private copy; if that step is missing, a local attacker can write in memory belonging to privileged processes or corrupt content in the cache page of sensitive files such as / etc / shadow or a binary SUID, which facilitates the obtaining of high privileges.

The specific problem is identified in the CVE-2026-31635 and the available PoC shows how the absence of the COW guard in rxgk _ decrypt _ skb generates the primitiva of writing that exploit the families of vulnerabilities known as Cody Fail, Dirty Frag and Fragnesia. These families share the dangerous feature of allowing the modification of "read-only" data from a context without privileges when corrupt the cache page.

Exposure is not universal: it only affects kernel compiled with CONFIG _ RXGK enabled, which is a default enabled configuration in some more modern "rolling" and cutting distributions like Fedora, Arch Linux and openSUSE Tumbleweed. In container environments, the impact is further critical because a working node with a vulnerable kernel can become an escape vector from a committed pod to the host.

In addition to the technical vector, there is an operational lesson: the rapid appearance of public exploitable after upstream patches - or even after public commitments that reveal the primitive - has caused discussions about temporary hot countermeasures. One of the discussions in kernel development proposes a "killswitch" that would allow an administrator to force a kernel function to return a fixed value without running his body, as an emergency mitigation until the final arrangement is available. This proposal, however, brings risks and limitations that require careful consideration before adoption in productive environments.

If you manage Linux systems, the immediate actions recommended are clear: it prioritizes the application of official updates of your distribution that correct CVE-2026-31635 and related patches; after updating, reboot the hosts to make sure that the new kernel is active. Check if your kernel is built with the affected option running, for example, grep -i CONFIG _ RXGK / boot / config- $(uname -r) or zgrep CONFIG _ RXGK / proc / config.gz when that file exists.

If there is no patch available for your version and you cannot update immediately, it reduces the attack surface by restricting access to unreliable local accounts, preventing users without need from compiling code or creating critical sockets, and strengthening container segregation: it avoids running unreliable workloads on shared nodes and applies kernel security policies such as seccomp, SELinux / AppArmor and capacity limits. It also assesses the possibility of using extended support kernel or accelerated safety repositories that offer some distributions when an urgent patch is needed.

Detecting retroactive exploitation is complex because the modification of the cache page does not always leave clear traces on disk until the content is written. As detection and mitigation measures, review the integrity of sensitive files with package verification tools (e.g. rpm --verify or debsums), look for abnormal changes in / etc / shadow and / etc / sudoers, and monitor unusual events at the kernel and system level that indicate local code execution with higher privileges.

This episode should be understood as part of a recent trend: in a matter of weeks multiple LPES have emerged with different technical roots (including Pack2TheRoot, CVE-2026-41651, and privilege management failures such as CVE-2026-46333) and the community is discussing not only how to park, but how to reduce the time between detection and effective mitigation. For more technical information on the details of vulnerability and its classification, see the NVD tab in CVE-2026-31635 and the relationship with other recent incidents in CVE-2026-41651.

As a practical conclusion: it acts with priority in applying patches and kernel reworks, checks the configuration of your kernel to know if you are susceptible, limits non-essential local access and treats container nodes as critical assets whose kernel security is as important as the applications they run. The speed of distribution of public PoC makes proactive defense and operational hygiene the best protection against these threats.