Linux users are facing a new wave of security concerns as a recently patched local privilege escalation vulnerability in the Linux kernel's rxgk module has been exploited. Named DirtyDecrypt, this flaw allows attackers to gain root access on affected Linux systems. The vulnerability was initially reported by the V12 security team, who discovered it on May 9, 2026, and later learned it was a duplicate already patched in the mainline. Despite this, the team released a proof-of-concept exploit, highlighting the ongoing threat. While no official CVE ID is assigned, the vulnerability aligns with CVE-2026-31635, patched on April 25. Successful exploitation requires the CONFIG_RXGK configuration option, limiting the attack surface to specific Linux distributions. The V12 team's exploit has been tested against Fedora and the mainline Linux kernel. This vulnerability is part of a growing trend of root-escalation flaws, including Dirty Frag, Fragnesia, and Copy Fail, which have been actively exploited in the wild. The Cybersecurity and Infrastructure Security Agency (CISA) has added Copy Fail to its list of exploited vulnerabilities, urging federal agencies to secure their Linux devices by May 15. This comes on the heels of recent patches for other root-privilege escalation vulnerabilities, such as Pack2TheRoot, which had gone unnoticed for nearly a decade. The ongoing threat of these vulnerabilities underscores the need for proactive security measures and regular kernel updates to protect Linux systems from potential attacks.
