bleepingcomputer.com via Reddit

DirtyDecrypt Linux flaw gets public root exploit

cybersecurity cybersecurity linux privilege-escalation

Key insights

  • DirtyDecrypt (CVE-2026-31635) grants full root access to local unprivileged users on Linux kernels compiled with CONFIG_RXGK enabled.
  • A working public PoC dropped May 9, just two weeks after the silent mainline patch on April 25, compressing the safe update window.
  • Exposure is distribution-specific: only systems shipping the rxgk kernel module compiled in are vulnerable to this escalation path.

Why this matters

Any AI infrastructure running Linux on bare-metal or self-managed systems with the rxgk module compiled in is directly exposed to local-to-root compromise, bypassing all application-layer access controls until kernel patches are applied. The two-week gap between the April 25 mainline fix and the May 9 public PoC is a concrete data point on how quickly silent upstream patches can be reverse-engineered into working exploits, which changes the calculus for teams that rely on vendor advisories rather than monitoring upstream kernel changelogs directly. For founders and technical leads running multi-tenant GPU clusters or shared research environments on Linux, this is a reminder that kernel-level privilege escalation flaws can hand any authenticated local user full system control regardless of container boundaries or user permission models.

Summary

A public proof-of-concept now exists for DirtyDecrypt (CVE-2026-31635), a local privilege escalation flaw in the Linux kernel's rxgk module that lets unprivileged users gain root on affected systems. The V12 security team discovered the vulnerability independently on May 9, roughly two weeks after it was quietly patched in mainline on April 25. That narrow gap between silent upstream fix and weaponized public exploit puts distribution patch cycles directly in the crosshairs. The attack surface is gated by CONFIG_RXGK, the kernel compile option that enables RxGK authentication for the Andrew File System client. Only distributions shipping kernels with that option compiled in are exposed. Essentially: (Linux kernel maintainers, V12 security team) are racing distribution update cycles against a live, publicly available exploit. - CVE-2026-31635 grants full root access to local unprivileged users on kernels compiled with CONFIG_RXGK enabled. - Mainline patch landed April 25; independent discovery and public PoC release followed May 9. - Exposure is distribution-specific: general-purpose installs without CONFIG_RXGK are not directly at risk. With a working exploit already public, the effective patch window for unprotected distributions has closed.

Potential risks and opportunities

Risks

  • Multi-tenant Linux environments (shared HPC clusters, cloud bare-metal providers) running CONFIG_RXGK-enabled kernels face immediate local-to-root compromise by any authenticated user until patches are applied
  • Distributions slow to backport the April 25 mainline fix leave users exposed with a ready-made public exploit, raising the probability of automated exploitation tooling appearing within the next 30 days
  • Security teams at enterprises relying on vendor advisories rather than upstream kernel monitoring may not yet know their kernels are affected, leaving production systems unpatched during the highest-risk window

Opportunities

  • Live kernel patching vendors (Canonical Livepatch, TuxCare, SUSE Manager) can use this incident to accelerate enterprise conversations about zero-downtime kernel update subscriptions
  • Linux security auditing firms and penetration testing providers gain immediate demand for CONFIG_RXGK exposure assessments across enterprise and cloud fleets in the next 30 to 60 days
  • Distributions that can confirm they do not ship CONFIG_RXGK by default gain a concrete hardening talking point in enterprise procurement comparisons against distributions that do

What we don't know yet

  • Which major distributions (Red Hat Enterprise Linux, Ubuntu, Debian) ship kernels with CONFIG_RXGK compiled in by default, as of May 2026, is not specified in public reporting
  • Whether the V12 security team coordinated disclosure with kernel maintainers before releasing the public PoC, or published independently after discovering the already-merged patch
  • Whether any in-the-wild exploitation has been observed since the PoC became public on May 9, 2026

Originally reported by bleepingcomputer.com

Read the original article →

Original headline: Exploit Available for New DirtyDecrypt Linux Root Escalation Flaw — PoC Targets Kernel rxgk Module