CVE-2026-31635
HIGHrxrpc: fix oversized RESPONSE authenticator length check
Title source: cnaExploitation Summary
EIP tracks 10 public exploits for CVE-2026-31635. PoCs published by Unclecheng-li, 0xFuffM3, MillerDetach.
AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2026-31635 (DirtyCBC/DirtyDecrypt), a Linux kernel local privilege escalation vulnerability in the rxgk component. The README includes root cause analysis, affected versions, and exploitation steps, while the provided code is a placeholder referencing the upstream PoC.
Description
In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix oversized RESPONSE authenticator length check rxgk_verify_response() decodes auth_len from the packet and is supposed to verify that it fits in the remaining bytes. The existing check is inverted, so oversized RESPONSE authenticators are accepted and passed to rxgk_decrypt_skb(), which can later reach skb_to_sgvec() with an impossible length and hit BUG_ON(len). Decoded from the original latest-net reproduction logs with scripts/decode_stacktrace.sh: RIP: __skb_to_sgvec() [net/core/skbuff.c:5285 (discriminator 1)] Call Trace: skb_to_sgvec() [net/core/skbuff.c:5305] rxgk_decrypt_skb() [net/rxrpc/rxgk_common.h:81] rxgk_verify_response() [net/rxrpc/rxgk.c:1268] rxrpc_process_connection() [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364 net/rxrpc/conn_event.c:386] process_one_work() [kernel/workqueue.c:3281] worker_thread() [kernel/workqueue.c:3353 kernel/workqueue.c:3440] kthread() [kernel/kthread.c:436] ret_from_fork() [arch/x86/kernel/process.c:164] Reject authenticator lengths that exceed the remaining packet payload.
Exploits (10)
This repository provides a detailed technical analysis of CVE-2026-31635 (DirtyCBC/DirtyDecrypt), a Linux kernel local privilege escalation vulnerability in the rxgk component. The README includes root cause analysis, affected versions, and exploitation steps, while the provided code is a placeholder referencing the upstream PoC.
This repository contains a functional exploit for CVE-2026-31635 (DirtyDecrypt), a Linux kernel local privilege escalation vulnerability in the AF_RXRPC RxGK encryption subsystem. The exploit leverages a missing COW guard in rxgk_decrypt_skb() to corrupt page cache via in-place decryption, achieving arbitrary byte writes and ultimately root shell execution.
This repository contains a functional exploit for CVE-2026-31635, a Linux kernel local privilege escalation vulnerability via rxgk pagecache corruption due to missing copy-on-write (COW) checks. The exploit uses AES-CBC encryption and a dual-fragment RxRPC packet to overwrite page cache contents, achieving root access.
This repository provides a detailed technical analysis of CVE-2026-31635 (DirtyDecrypt), a Linux kernel local privilege escalation vulnerability in the AF_RXRPC RxGK encryption subsystem. It includes root cause analysis, patch details, and a step-by-step breakdown of the exploit mechanism involving page cache corruption via splice and AES-CBC decryption.
This repository provides a detailed technical analysis of CVE-2026-31635 (DirtyDecrypt), a Linux kernel local privilege escalation vulnerability in the RxGK encryption subsystem. It includes root cause analysis, patch details, and a step-by-step breakdown of the exploit mechanism.
This repository contains a functional Go exploit for CVE-2026-31635, leveraging a missing skb_cow_data() call in rxgk_decrypt_skb() to overwrite the page cache of /usr/bin/su with a root shell ELF payload. The exploit uses a sliding-window technique to probabilistically corrupt and repair bytes until the target payload is written.
This repository contains a functional Go exploit for CVE-2026-31635, leveraging a missing skb_cow_data() call in rxgk_decrypt_skb() to overwrite the page cache of /usr/bin/su with a root shell ELF payload. The exploit uses a sliding-window technique to probabilistically corrupt and repair bytes until the payload is fully written.
This repository contains a functional exploit for CVE-2026-31635, a local privilege escalation vulnerability in the Linux kernel's RXGK module. The exploit leverages a missing COW (Copy-On-Write) guard in `rxgk_decrypt_skb()` to overwrite `/etc/passwd` and add a root user without a password.
The repository contains a functional ELF binary exploit for CVE-2026-31635, likely targeting a Linux-based vulnerability. The binary is obfuscated but appears to be a self-contained proof-of-concept.
The repository provides a detailed technical writeup for CVE-2026-31635, a Linux kernel local privilege escalation vulnerability in the rxrpc subsystem's rxgk component. It explains the missing Copy-on-Write (COW) check during AES-CBC decryption, leading to arbitrary file writes and root access.
References (4)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H