ctipilot.ch

Linux kernel RxGK rxgk_decrypt_skb() page-cache write (missing COW guard) — DirtyDecrypt LPE; affects Fedora / Arch / openSUSE Tumbleweed (CONFIG_RXGK=y)

cve · CVE-2026-31635

Coverage timeline
1
first 2026-05-20 → last 2026-05-25
Entries
1
1 distinct days
Sources cited
3
3 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-05-20CVE-2026-31635 ("DirtyDecrypt") — Linux kernel RxGK page-cache write, public PoC; Fedora, Arch, openSUSE Tumbleweed affected
    trending-vulnerabilitiesCVE-2026-31635 ("DirtyDecrypt") — Linux kernel RxGK page-cache write, public PoC; Fedora, Arch, openSUSE Tumbleweed affected

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • bleepingcomputer.com1 (33%)
  • moselwal.com1 (33%)
  • thehackernews.com1 (33%)

Entries about Linux kernel RxGK rxgk_decrypt_skb() page-cache write (missing COW guard) — DirtyDecrypt LPE; affects Fedora / Arch / openSUSE Tumbleweed (CONFIG_RXGK=y) (1)

2026-05-20 · view entry permalink →

CVE-2026-31635 ("DirtyDecrypt") — Linux kernel RxGK page-cache write, public PoC; Fedora, Arch, openSUSE Tumbleweed affected

notable vulnerability discovered 2026-05-20 05:00 UTC

CVE-2026-31635 is a page-cache write due to a missing copy-on-write guard in rxgk_decrypt_skb() in net/rxrpc/rxgk_crypt.c — the RxGK (Kerberos-for-AFS) subsystem of the Linux kernel. Researchers at Zellic/V12 disclosed the issue on 2026-05-09; kernel maintainers traced the regression and noted it was a duplicate of a vulnerability quietly patched in mainline on 2026-04-25. A working PoC was published by V12 on 2026-05-19, prompting BleepingComputer and The Hacker News coverage (Hacker News carries the CVSS 7.5 score; the Moselwal technical write-up characterises the LPE class as in the 7.8–8.1 range without a settled NVD score at time of publication). Affected only where kernels are compiled with CONFIG_RXGK=y — that's Fedora, Arch Linux, and openSUSE Tumbleweed in standard configurations. Debian Stable, RHEL, and Ubuntu LTS build kernels without CONFIG_RXGK and are not affected. No in-the-wild exploitation reported.

DirtyDecrypt is assessed as a variant of the "Copy Fail" family (CVE-2026-31431, CVE-2026-43284, CVE-2026-43500, CVE-2026-46300). Mitigation: apply the kernel patch from 2026-04-25 (or any linux-stable build derived from it); or temporarily blacklist the rxrpc module via /etc/modprobe.d/ — the latter breaks IPsec/AFS-VPN and is fragile. Verify with grep RXGK /boot/config-$(uname -r). Detection: Falco / Tetragon rules on unexpected rxrpc module load events; Sysmon-for-Linux EID 8 for UID changes from unprivileged processes; container runtime alerts for unexpected root spawning from container context. Relevant where rolling-release Linux distros host CI/CD runners, developer workstations, or research VMs in EU/CH public-sector environments.

vulnerabilities lpe priv-esc poc-public patch-available global CVE-2026-31635