DirtyDecrypt — Linux kernel RxGK rxgk_decrypt_skb() page-cache write; affects Fedora / Arch / openSUSE Tumbleweed; PoC released 2026-05-19

CVE-2026-31635 is a page-cache write due to a missing copy-on-write guard in rxgk_decrypt_skb() in net/rxrpc/rxgk_crypt.c — the RxGK (Kerberos-for-AFS) subsystem of the Linux kernel. Researchers at Zellic/V12 disclosed the issue on 2026-05-09; kernel maintainers traced the regression and noted it was a duplicate of a vulnerability quietly patched in mainline on 2026-04-25. A working PoC was published by V12 on 2026-05-19, prompting BleepingComputer and The Hacker News coverage (Hacker News carries the CVSS 7.5 score; the Moselwal technical write-up characterises the LPE class as in the 7.8–8.1 range without a settled NVD score at time of publication). Affected only where kernels are compiled with CONFIG_RXGK=y — that's Fedora, Arch Linux, and openSUSE Tumbleweed in standard configurations. Debian Stable, RHEL, and Ubuntu LTS build kernels without CONFIG_RXGK and are not affected. No in-the-wild exploitation reported.

DirtyDecrypt is assessed as a variant of the "Copy Fail" family (CVE-2026-31431, CVE-2026-43284, CVE-2026-43500, CVE-2026-46300). Mitigation: apply the kernel patch from 2026-04-25 (or any linux-stable build derived from it); or temporarily blacklist the rxrpc module via /etc/modprobe.d/ — the latter breaks IPsec/AFS-VPN and is fragile. Verify with grep RXGK /boot/config-$(uname -r). Detection: Falco / Tetragon rules on unexpected rxrpc module load events; Sysmon-for-Linux EID 8 for UID changes from unprivileged processes; container runtime alerts for unexpected root spawning from container context. Relevant where rolling-release Linux distros host CI/CD runners, developer workstations, or research VMs in EU/CH public-sector environments.