Share
## https://sploitus.com/exploit?id=1225EDAD-7DE2-5A0D-B32A-65D53216B098
# CVE-2026-31635 ยท DirtyDecrypt

[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
[![Kernel](https://img.shields.io/badge/kernel-6.10--6.13-critical)](https://www.kernel.org)
[![Type](https://img.shields.io/badge/type-LPE-blue.svg)](https://en.wikipedia.org/wiki/Privilege_escalation)
[![Status](https://img.shields.io/badge/status-patched-brightgreen.svg)]

> **Linux local privilege escalation in the RxRPC/GSSAPI decryption path.**
> A missing `skb_cow_data()` check in `rxgk_decrypt_skb()` allows an unprivileged local attacker to corrupt page cache pages and overwrite in-memory contents of read-only files.

---

## Contents

- [Overview](#overview)
- [Quick Start](#quick-start)
- [Verify Your System](#verify-your-system)
- [Exploit Summary](#exploit-summary)
- [Affected Systems](#affected-systems)
- [How to Use This Repository](#how-to-use-this-repository)
- [Mitigation](#mitigation)
- [FAQ](#faq)
- [Repository Layout](#repository-layout)
- [References](#references)

---

## Overview

This repository contains the research materials and proof-of-concept for **CVE-2026-31635**, a local privilege escalation in Linux kernel `net/rxrpc/rxgk.c`.

The vulnerability occurs when RxRPC decrypts packets in-place using AES-CBC without first ensuring the packet data is private. If the packet is built from page cache pages, the kernel may decrypt directly into shared file-backed memory.

| Property | Detail |
|---|---|
| **CVE** | CVE-2026-31635 |
| **Component** | `net/rxrpc/rxgk.c` โ€” `rxgk_decrypt_skb()` |
| **Root cause** | Missing `skb_cow_data()` check before decryption |
| **Impact** | Local privilege escalation to root |
| **Affected kernels** | 6.10 โ€“ 6.13 |
| **Fixed in** | 6.13.2 ยท 6.12.10 ยท 6.6.75 |

---

## Quick Start

Choose the path that matches your goal:

1. **Verify vulnerability**
   - Check kernel version and `CONFIG_RXGK`
   - Use `./dirtydecrypt --check`
2. **Build the exploit**
   - `cd exploit`
   - `make`
3. **Read the technical research**
   - Start with `docs/vulnerability-analysis.md`
   - Review `docs/patch-analysis.md` and `docs/exploit-development.md`

> โš ๏ธ This repository is for authorized research and testing only. Do not use it against systems without explicit permission.

---

## Verify Your System

Run the following checks to determine whether your environment is in scope:

```bash
uname -r
zgrep CONFIG_RXGK /proc/config.gz 2>/dev/null || grep CONFIG_RXGK /boot/config-$(uname -r)
```

If the kernel is in the `6.10โ€“6.13` range and `CONFIG_RXGK` is enabled, the system may be vulnerable.

Then use the exploit PoC verification mode:

```bash
cd exploit
./dirtydecrypt --check
```

If the check succeeds, the system is vulnerable. If it fails cleanly or reports missing RxRPC support, then the kernel is not exploitable.

---

## Exploit Summary

The exploit uses a malformed RxRPC packet to force the kernel into decrypting into a shared page cache page.

Steps:

1. Select a readable target page from a setuid binary or another sensitive file.
2. Create an RxRPC decryption context with a controlled AES key.
3. Build a dual-fragment SKB where the first fragment maps to the target page and the second fragment contains ciphertext.
4. Call `rxgk_decrypt_skb()` in the kernel.
5. The kernel writes plaintext into the target page cache entry instead of a private buffer.
6. Execute the patched binary to gain root.

The exploit is demonstrated in `exploit/dirtydecrypt.c`.

---

## Affected Systems

### Known vulnerable ranges

- Linux kernel `6.10` through `6.13`
- `CONFIG_RXGK=m` or `CONFIG_RXGK=y`

### Distribution guidance

- **Fedora 40, 41** โ€” vulnerable on stock kernels until patched
- **Ubuntu 24.10** โ€” vulnerable on the default 6.11 kernel
- **Debian unstable (Sid)** โ€” vulnerable on kernels 6.12+ until updated
- **Arch Linux** โ€” vulnerable until 6.13.2
- **SUSE Linux Enterprise 15 SP7** โ€” vulnerable on older 6.10 builds until patch

### Not vulnerable

- **RHEL 9** โ€” older kernel without `rxgk`
- **AWS Linux 2** โ€” older kernel series
- **Android** โ€” not affected on typical Android branches
- **GCE Container-Optimized OS** โ€” `CONFIG_RXGK` disabled by default

---

## How to Use This Repository

### Build the exploit

```bash
git clone https://github.com/0xFuffM3/CVE-2026-31635-DirtyDecrypt.git
cd exploit
make
```

For a fully static binary:

```bash
make static
```

### Run the exploit safely

```bash
./dirtydecrypt --check
```

Example usage:

```bash
./dirtydecrypt -f /usr/bin/sudo -o /tmp/sudo_patched
./dirtydecrypt -p shellcode/payload.bin
```

### Recommended reading order

1. `docs/vulnerability-analysis.md`
2. `docs/exploit-development.md`
3. `docs/patch-analysis.md`
4. `docs/affected-kernels.md`

---

## Mitigation

### Immediate

Disable RxRPC if it is not required:

```bash
sudo rmmod rxrpc
sudo modprobe -r rxgk
echo "blacklist rxrpc" | sudo tee /etc/modprobe.d/blacklist-rxrpc.conf
```

### Permanent

Upgrade to a patched kernel release:

- `6.13.2`
- `6.12.10`
- `6.6.75`

### Detection

Audit relevant socket creation and key operations:

```bash
sudo auditctl -a always,exit -F arch=b64 -S socket -F a0=28 -k rxrpc_sock
```

---

## FAQ

**Q: Can this exploit modify files on disk?**  
A: No. The vulnerability corrupts page cache contents only; the backing file on disk remains unchanged unless the page is later flushed.

**Q: Is this vulnerability present on kernels newer than 6.13?**  
A: No, the patch was backported and the vulnerable code path is fixed in kernels after 6.13.2.

**Q: What is the safest way to test this?**  
A: Use an isolated VM with a stock vulnerable kernel and a disposable user account.

**Q: Where can I find the exploit source?**  
A: See `exploit/dirtydecrypt.c` and `exploit/README.md`.

---

## Repository Layout

```text
CVE-2026-31635-DirtyDecrypt/
โ”œโ”€โ”€ README.md
โ”œโ”€โ”€ LICENSE
โ”œโ”€โ”€ DISCLAIMER.md
โ”œโ”€โ”€ CHANGELOG.md
โ”œโ”€โ”€ exploit/
โ”‚   โ”œโ”€โ”€ README.md
โ”‚   โ”œโ”€โ”€ dirtydecrypt.c
โ”‚   โ”œโ”€โ”€ Makefile
โ”‚   โ””โ”€โ”€ shellcode/
โ”‚       โ””โ”€โ”€ payload.asm
โ””โ”€โ”€ docs/
    โ”œโ”€โ”€ vulnerability-analysis.md
    โ”œโ”€โ”€ exploit-development.md
    โ”œโ”€โ”€ affected-kernels.md
    โ”œโ”€โ”€ patch-analysis.md
    โ””โ”€โ”€ references.md
```

---

## References

- [Linux kernel patch โ€” commit `a2567217`](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a2567217)
- [NVD โ€” CVE-2026-31635](https://nvd.nist.gov/vuln/detail/CVE-2026-31635)
- [`docs/references.md`](docs/references.md)

---

## License

MIT โ€” see [LICENSE](LICENSE).  
This repository is intended for educational and authorized security research use only.