CVE-2026-31635

HIGH

rxrpc: fix oversized RESPONSE authenticator length check

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 7 public exploits for CVE-2026-31635. PoCs published by Unclecheng-li, 0xFuffM3, Koshmare-Blossom.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-31635 (DirtyDecrypt), a Linux kernel local privilege escalation vulnerability in the AF_RXRPC RxGK encryption subsystem. The exploit leverages a missing COW guard in rxgk_decrypt_skb() to corrupt page cache via in-place decryption, achieving arbitrary byte writes and ultimately root shell execution.

Description

In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix oversized RESPONSE authenticator length check rxgk_verify_response() decodes auth_len from the packet and is supposed to verify that it fits in the remaining bytes. The existing check is inverted, so oversized RESPONSE authenticators are accepted and passed to rxgk_decrypt_skb(), which can later reach skb_to_sgvec() with an impossible length and hit BUG_ON(len). Decoded from the original latest-net reproduction logs with scripts/decode_stacktrace.sh: RIP: __skb_to_sgvec() [net/core/skbuff.c:5285 (discriminator 1)] Call Trace: skb_to_sgvec() [net/core/skbuff.c:5305] rxgk_decrypt_skb() [net/rxrpc/rxgk_common.h:81] rxgk_verify_response() [net/rxrpc/rxgk.c:1268] rxrpc_process_connection() [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364 net/rxrpc/conn_event.c:386] process_one_work() [kernel/workqueue.c:3281] worker_thread() [kernel/workqueue.c:3353 kernel/workqueue.c:3440] kthread() [kernel/kthread.c:436] ret_from_fork() [arch/x86/kernel/process.c:164] Reject authenticator lengths that exceed the remaining packet payload.

Exploits (7)

github WORKING POC 95 stars
by Unclecheng-li · cpoc
https://github.com/Unclecheng-li/poc-lab/tree/main/CVE-2026-31635 DirtyDecrypt

This repository contains a functional exploit for CVE-2026-31635 (DirtyDecrypt), a Linux kernel local privilege escalation vulnerability in the AF_RXRPC RxGK encryption subsystem. The exploit leverages a missing COW guard in rxgk_decrypt_skb() to corrupt page cache via in-place decryption, achieving arbitrary byte writes and ultimately root shell execution.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (6.16-6.19.x, 7.0-rc1-rc7) with CONFIG_RXGK enabled
No auth needed
Prerequisites: CONFIG_RXGK enabled · user namespace creation capability · splice syscall access
devstral-2 · analyzed May 22, 2026 Full analysis →
github WORKING POC 1 stars
by 0xFuffM3 · cpoc
https://github.com/0xFuffM3/CVE-2026-31635-DirtyDecrypt

This repository contains a functional exploit for CVE-2026-31635, a Linux kernel local privilege escalation vulnerability via rxgk pagecache corruption due to missing copy-on-write (COW) checks. The exploit uses AES-CBC encryption and a dual-fragment RxRPC packet to overwrite page cache contents, achieving root access.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux Kernel (specific versions affected by CVE-2026-31635)
No auth needed
Prerequisites: Linux kernel vulnerable to CVE-2026-31635 · Local user access · OpenSSL library for AES encryption
devstral-2 · analyzed May 21, 2026 Full analysis →
gitlab WORKING POC
by Koshmare-Blossom · poc
https://gitlab.com/Koshmare-Blossom/DirtyDecrypt-go

This repository contains a functional Go exploit for CVE-2026-31635, leveraging a missing skb_cow_data() call in rxgk_decrypt_skb() to overwrite the page cache of /usr/bin/su with a root shell ELF payload. The exploit uses a sliding-window technique to probabilistically corrupt and repair bytes until the target payload is written.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (rxrpc/rxgk module)
No auth needed
Prerequisites: Linux kernel with vulnerable rxrpc/rxgk module · Ability to execute unprivileged code · Access to /usr/bin/su
devstral-2 · analyzed May 25, 2026 Full analysis →
nomisec WORKING POC
by Koshmare-Blossom · poc
https://github.com/Koshmare-Blossom/Dirtydecrypt-go

This repository contains a functional Go exploit for CVE-2026-31635, leveraging a missing skb_cow_data() call in rxgk_decrypt_skb() to overwrite the page cache of /usr/bin/su with a root shell ELF payload. The exploit uses a sliding-window technique to probabilistically corrupt and repair bytes until the payload is fully written.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (AF_RXRPC implementation)
No auth needed
Prerequisites: Linux kernel with AF_RXRPC support · Unprivileged user namespace access · Read/write access to /usr/bin/su page cache
devstral-2 · analyzed May 23, 2026 Full analysis →
github WORKING POC
by Lutfifakee-Project · cpoc
https://github.com/Lutfifakee-Project/CVE-2026-31635

This repository contains a functional exploit for CVE-2026-31635, a local privilege escalation vulnerability in the Linux kernel's RXGK module. The exploit leverages a missing COW (Copy-On-Write) guard in `rxgk_decrypt_skb()` to overwrite `/etc/passwd` and add a root user without a password.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux Kernel with CONFIG_RXGK=y
No auth needed
Prerequisites: Linux kernel with CONFIG_RXGK=y · unprivileged user access · user and network namespace support
devstral-2 · analyzed May 20, 2026 Full analysis →
github WORKING POC
by aexdyhaxor · poc
https://github.com/aexdyhaxor/DirtyDecrypt

The repository contains a functional ELF binary exploit for CVE-2026-31635, likely targeting a Linux-based vulnerability. The binary is obfuscated but appears to be a self-contained proof-of-concept.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Unknown (likely Linux-based software)
No auth needed
Prerequisites: Linux environment · vulnerable target system
devstral-2 · analyzed May 20, 2026 Full analysis →
github WRITEUP
by 0xBlackash · poc
https://github.com/0xBlackash/CVE-2026-31635

The repository provides a detailed technical writeup for CVE-2026-31635, a Linux kernel local privilege escalation vulnerability in the rxrpc subsystem's rxgk component. It explains the missing Copy-on-Write (COW) check during AES-CBC decryption, leading to arbitrary file writes and root access.

Classification
Writeup 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux Kernel 6.10 to 6.13 with CONFIG_RXGK=y
No auth needed
Prerequisites: Linux kernel with CONFIG_RXGK enabled · Unprivileged local user access · AF_RXRPC socket support · keyctl utility
devstral-2 · analyzed May 19, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 7.5
EPSS 0.0003
EPSS Percentile 10.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-130
Status published
Products (11)
Linux/Linux < 6.16
Linux/Linux 6.16
Linux/Linux 6.18.23 - 6.18.*
Linux/Linux 6.19.13 - 6.19.*
Linux/Linux 7.0
Linux/Linux 9d1d2b59341f58126a69b51f9f5f8ccb9f12e54a - a2567217ade970ecc458144b6be469bc015b23e5
Linux/Linux 9d1d2b59341f58126a69b51f9f5f8ccb9f12e54a - beee051f259acd286fed64c32c2b31e6f5097eb5
Linux/Linux 9d1d2b59341f58126a69b51f9f5f8ccb9f12e54a - e2f1a80d8b1ed6a5ae585a399c2b46500bdcc305
linux/linux_kernel 6.16
linux/linux_kernel 7.0 rc1 (7 CPE variants)
... and 1 more
Published Apr 24, 2026
Tracked Since Apr 24, 2026