DirtyDecrypt (aka DirtyCBC) is a local privilege escalation vulnerability in the Linux kernel's RxGK subsystem due to a missing copy-on-write guard in the rxgk_decrypt_skb function. This allows oversized response authenticators to write data into memory areas of privileged processes or page cache of privileged files, including SUID binaries, enabling attackers to gain root privileges. The vulnerability affects distributions with CONFIG_RXGK enabled, such as Arch Linux, Fedora, and openSUSE. It was discovered by the V12 security team and patched in April 2026. The issue is related to CVE-2026-31635 and is part of a family of Linux kernel bugs that permit root escalation. Proof-of-concept code has been published, but no known exploits in the wild have been reported.

The vulnerability allows local attackers on affected Linux systems to escalate their privileges to root by exploiting a missing copy-on-write guard in the RxGK subsystem. This can lead to unauthorized modification of privileged process memory or sensitive files, potentially compromising system integrity and security. Container environments running vulnerable distributions may also be at risk of pod escape. However, no active exploitation in the wild has been reported to date.

A patch for this vulnerability was released in April 2026 for mainline Linux kernel builds. Users and administrators of affected Linux distributions with CONFIG_RXGK enabled should ensure their systems are updated with these patches. Since the vulnerability is patched, applying the official updates is the primary mitigation. There is no vendor advisory indicating that no action is required or that the issue is already mitigated without patching. Therefore, updating to the fixed kernel version is recommended.