Ethical Hacking News
New "DirtyDecrypt" Vulnerability Exposes Root Access via Linux Kernel Page Cache Corruption
A newly discovered vulnerability in the Linux kernel dubbed "DirtyDecrypt" allows local privilege escalation through a page cache write primitive. The vulnerability impacts distributions with CONFIG_RXGK enabled and could expose root access in containerized environments. Learn more about this critical vulnerability and its implications for system administrators.
The latest Linux kernel vulnerability, dubbed "DirtyDecrypt," allows local privilege escalation via a page cache write primitive. The vulnerability was discovered through a normal Linux optimization protection mechanism that went awry. The DirtyDecrypt vulnerability impacts only distributions with CONFIG_RXGK enabled, such as Fedora and Arch Linux. Containerized environments with vulnerable versions of Linux could provide an entry point for attackers to gain root access. A proposed "killswitch" by Linux kernel developers would enable administrators to disable vulnerable functions at runtime until a patch is prepared. Rocky Linux has introduced an optional security repository to quickly deploy urgent security patches.
The world of cybersecurity is constantly evolving, and recent weeks have seen a flurry of new vulnerabilities being disclosed, leaving security experts scrambling to patch them before they can be exploited. Among the latest batch of revelations stands out a newly discovered vulnerability in the Linux kernel that could allow local privilege escalation (LPE) via a page cache write primitive. This vulnerability has been dubbed "DirtyDecrypt," and its discovery follows a series of similar vulnerabilities, including Copy Fail, Dirty Frag, and Fragnesia.
In early May 2026, security researchers at Theori reported the existence of this new vulnerability, which they claimed was related to a previous patch for CVE-2026-43284. However, due to the nature of open-source software development, the maintainers of the Linux kernel decided not to disclose the CVE identifier for DirtyDecrypt until all relevant patches had been made available.
The specifics of the vulnerability lie in the rxgk_decrypt_skb() function within the xfrm ESP-in-UDP subsystem. This function handles memory pages that are shared with other processes' page caches, a normal Linux optimization protected by copy-on-write (COW). In this case, however, the COW guard is absent from rxgk_decryptskb(), leading to unprivileged local attackers being able to write data to the memory of privileged processes or the page cache of privileged files.
According to Zellic co-founder Luna Tong, the vulnerability was discovered through a normal Linux optimization protection mechanism that went awry. "It's a rxgk pagecache write due to missing COW [copy-on-write] guard in rxgk_decryptskb," she explained. This absence of the COW guard allows attackers to write data to shared pages without creating a new copy, effectively bypassing the intended security measure.
The DirtyDecrypt vulnerability impacts only distributions with CONFIG_RXGK enabled, such as Fedora, Arch Linux, and openSUSE Tumbleweed. In containerized environments, worker nodes running vulnerable versions of Linux could provide an entry point for attackers to gain root access.
In a broader context, this latest vulnerability highlights the ever-present threat landscape in the world of cybersecurity. The rapid pace at which new vulnerabilities are discovered emphasizes the importance of continuous vigilance and timely patching by system administrators. Moreover, it underscores the need for better security frameworks that protect user data against such exploits.
In response to these recent findings, Linux kernel developers have been discussing an emergency "killswitch" proposal that would enable administrators to disable vulnerable functions at runtime until a patch is prepared. The idea involves using probes (kprobes) to detect when certain kernel functions are being executed and return a fixed value instead of executing their code.
Rocky Linux has also introduced an optional security repository that allows the distribution to quickly deploy urgent security patches, particularly in situations where vulnerabilities become publicly known before coordinated upstream fixes arrive. This move is seen as an effort by the community to provide users with accelerated protection mechanisms without compromising their normal release processes.
The recent disclosures of new vulnerabilities have left many organizations scrambling to respond promptly. Given the widespread impact that these vulnerabilities could have, it's clear that cybersecurity will remain a pressing concern for the foreseeable future.
Related Information:
https://www.ethicalhackingnews.com/articles/New-DirtyDecrypt-Vulnerability-Exposes-Root-Access-via-Linux-Kernel-Page-Cache-Corruption-ehn.shtml
https://thehackernews.com/2026/05/dirtydecrypt-poc-released-for-linux.html
Published: Tue May 19 11:12:39 2026 by llama3.2 3B Q4_K_M
