Linux kernel LPE exploits DirtyDecrypt and PinTheft expose root access paths
Public proof-of-concept exploit code was released for DirtyDecrypt (CVE-2026-31635), a high-severity Linux kernel local privilege escalation flaw caused by a missing copy-on-write guard in rxgk_decrypt_skb() within the RxGK subsystem. The bug allows unprivileged local users to corrupt shared page-cache memory tied to privileged files or processes, potentially overwriting targets such as /etc/shadow, /etc/sudoers, or SUID binaries to gain root. Reports said the issue was quietly patched upstream in late April and primarily affects systems using mainline or rolling-release kernels with CONFIG_RXGK enabled, including Fedora, Arch Linux, and openSUSE Tumbleweed; the risk is elevated on Kubernetes worker nodes and developer workstations because exploitation can also enable container escape and theft of secrets or runtime sockets.
At the same time, researchers disclosed PinTheft, another Linux local privilege escalation exploit that abuses a double-free or refcount bug in the RDS zerocopy send path and uses io_uring fixed buffers to turn the flaw into a page-cache overwrite against a SUID-root binary. The exploit, credited to Aaron Esau of V12 Security, reportedly drains page references through failed RDS zerocopy sends, frees the page, reclaims it as page cache, and overwrites it with a malicious ELF payload that yields a root shell when executed. Mailing list discussion said a patch and proof of concept are available, with exploitability depending on the rds kernel module being present or autoloadable; Arch Linux was reported to enable it by default, while Fedora may also be exposed and Debian and Ubuntu appear to have mitigations that restrict autoloading.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Public PoC released for DirtyDecrypt (CVE-2026-31635)
Researchers released proof-of-concept exploit code for DirtyDecrypt, a recently patched Linux kernel local privilege escalation bug affecting systems with CONFIG_RXGK enabled, including Fedora, Arch Linux, and openSUSE Tumbleweed. The PoC demonstrated how a missing copy-on-write guard could be abused for root access and potentially container escape on vulnerable worker nodes.
Canonical publishes Ubuntu mitigation guidance for PinTheft
Canonical said default Ubuntu installations are generally not vulnerable to PinTheft because the affected RDS module is not loaded by default, though systems that explicitly enable RDS can be exploited. It outlined affected Ubuntu releases, rated the issue CVSS 7.8/High with Ubuntu Priority Medium, and said fixes would be delivered through Linux kernel image packages.
PinTheft Linux LPE publicly disclosed with patch and PoC
v12-security publicly disclosed PinTheft, a Linux local privilege escalation exploit targeting a double-free/refcount bug in the RDS zerocopy send path. The disclosure said the issue was discovered by Aaron Esau, included a proof of concept and patch, and showed how io_uring fixed buffers could be used to overwrite page cache and gain root via a SUID binary.
DirtyDecrypt publicly identified and reproduction reported
A public post described a new Linux local privilege escalation issue called DirtyDecrypt or DirtyCBC, likely corresponding to CVE-2026-31635, and linked it to patch commits from April 8 and April 18, 2026. The author later updated the report to say the issue reproduced successfully on Fedora and mainline Linux after initially failing to reproduce it on tested distributions.
Upstream patch merged for DirtyDecrypt kernel flaw
An upstream fix for the Linux kernel local privilege escalation vulnerability later tracked as CVE-2026-31635 (DirtyDecrypt/DirtyCBC) was quietly merged. The flaw is in the RxGK subsystem's rxgk_decrypt_skb() function and can enable page-cache or privileged memory corruption leading to root access.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
12 references tracked. Mallory keeps watching after this page renders.
PinTheft: Another Linux Privilege Escalation, Another Working Exploit, This Time Targeting Arch
securityaffairs.com
Open sourcePinTheft Linux Vulnerability Let Attackers Gain Root Access - PoC Released
cybersecuritynews.com
Open sourceDirtyDecrypt: PoC Released for yet another Linux flaw
securityaffairs.com
Open sourceDirtyDecrypt Linux Kernel Vulnerability PoC Exploit Code Released
cybersecuritynews.com
Open sourceoss-sec: PinTheft Linux LPE
seclists.org
Open sourcePinTheft Linux kernel vulnerability mitigation
canonical.com
Open sourceoss-sec: Re: PinTheft Linux LPE
seclists.org
Open sourceWill Dormann: "Apparently exploitation requir…" - Infosec Exchange
infosec.exchange
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Dirty Frag Linux Kernel LPE Enables Immediate Root Access Across Major Distros
Researchers publicly disclosed **Dirty Frag**, a Linux kernel local privilege escalation chain that can give an unprivileged local user immediate root access across major distributions. The disclosure said the issue combines flaws in the in-place decryption fast paths for **`esp4`**, **`esp6`**, and **`rxrpc`**, allowing page-cache corruption or plaintext exposure in externally backed paged fragments. Public write-ups and exploit repositories described two working paths: overwriting **`/usr/bin/su`** with a root shell via the ESP/XFRM stack, or corrupting **`/etc/passwd`** through RXRPC/RXKAD behavior so a UID 0 account can be used without a password. The bug was published without patches or CVE assignments after an embargo was reportedly broken, and exploit code was quickly made public through oss-sec, GitHub, and security forums. A related GitHub proof of concept, **Copy Fail 2: Electric Boogaloo**, tied the ESP path to the **`MSG_SPLICE_PAGES`** no-copy-on-write fast path and reported successful exploitation on Debian, Arch, Fedora, and newer Ubuntu releases, while noting older Ubuntu 22.04 kernels were not affected by that specific path. AlmaLinux said all supported releases were affected, issued patched kernels in testing by backporting the upstream ESP fix, and recommended temporary mitigations including blacklisting or unloading **`esp4`**, **`esp6`**, and **`rxrpc`** modules and dropping page cache if compromise is suspected.
May 22, 2026
Linux Kernel Flaws DirtyClone and pedit COW Enable Root via Page-Cache Poisoning
Two newly disclosed Linux kernel local privilege escalation flaws are enabling attackers to gain root by corrupting file-backed page-cache memory without changing files on disk. **DirtyClone** (`CVE-2026-43503`) affects the XFRM/IPsec path and abuses cloned packets after a shared-fragment safety flag is dropped during internal copying, while **pedit COW** (`CVE-2026-46331`) affects the traffic-control `act_pedit` subsystem through an out-of-bounds write. Public exploit material shows both bugs can poison the in-memory copy of privileged binaries such as `/usr/bin/su` or `/bin/su`, then execute them to obtain root access while evading file-integrity checks and, in DirtyClone’s case, potentially leaving no on-disk changes or kernel audit evidence. Exploitation in both cases depends on local access plus `CAP_NET_ADMIN`, which researchers say can often be obtained through unprivileged user namespaces on distributions such as Debian, Fedora, and RHEL by default. Reported testing showed successful exploitation on Debian 13 and RHEL 10, with Ubuntu 24.04 requiring an AppArmor-permitted path and Ubuntu 26.04 blocking some default routes despite vulnerable kernels. Upstream fixes have already landed in the Linux 7.1 release candidates, and vendors including Ubuntu, Debian, SUSE, and Red Hat have issued advisories or patches; defenders are being urged to deploy patched kernels, reboot affected systems, and consider disabling unprivileged user namespaces or blocking `act_pedit` where immediate patching is not possible.
Jun 27, 2026
Linux Privilege Escalation Flaws Spur Dirty Frag Alerts and Kernel Killswitch Proposal
Linux kernel developers are reviewing an emergency runtime mitigation called **Killswitch** after public disclosure of multiple local privilege escalation flaws, including **Copy Fail** (`CVE-2026-31431`) and the chained **Dirty Frag** bugs (`CVE-2026-43284`, `CVE-2026-43500`). Dirty Frag, disclosed by researcher Hyunwoo Kim and discussed by Red Hat and other outlets, affects kernel networking paths tied to IPSec ESP and `RxRPC` and can let an unprivileged local user gain root on many distributions. Copy Fail, a separate nine-year-old flaw in `AF_ALG` cryptographic sockets, was also reported as enabling reliable local root escalation by allowing controlled writes into the kernel page cache of readable files. Government and vendor guidance warned that public proof-of-concept exploit code is available and that risk increases if the local flaws are paired with remote code execution. The Canadian Centre for Cyber Security said no universal fix was immediately available across all stable kernels and urged defenders to identify exposed systems, restrict local access, reduce privileges, regenerate `initramfs`, and disable vulnerable modules where possible. In parallel, a GitHub project circulated shell-based stopgap patching to disable or rename affected modules on running systems, while the proposed Killswitch mechanism would let administrators force selected kernel functions to return safely without executing until patched kernels can be deployed.
Jun 8, 2026