## https://sploitus.com/exploit?id=1225EDAD-7DE2-5A0D-B32A-65D53216B098
# CVE-2026-31635 ยท DirtyDecrypt
[](LICENSE)
[](https://www.kernel.org)
[](https://en.wikipedia.org/wiki/Privilege_escalation)
[]
> **Linux local privilege escalation in the RxRPC/GSSAPI decryption path.**
> A missing `skb_cow_data()` check in `rxgk_decrypt_skb()` allows an unprivileged local attacker to corrupt page cache pages and overwrite in-memory contents of read-only files.
---
## Contents
- [Overview](#overview)
- [Quick Start](#quick-start)
- [Verify Your System](#verify-your-system)
- [Exploit Summary](#exploit-summary)
- [Affected Systems](#affected-systems)
- [How to Use This Repository](#how-to-use-this-repository)
- [Mitigation](#mitigation)
- [FAQ](#faq)
- [Repository Layout](#repository-layout)
- [References](#references)
---
## Overview
This repository contains the research materials and proof-of-concept for **CVE-2026-31635**, a local privilege escalation in Linux kernel `net/rxrpc/rxgk.c`.
The vulnerability occurs when RxRPC decrypts packets in-place using AES-CBC without first ensuring the packet data is private. If the packet is built from page cache pages, the kernel may decrypt directly into shared file-backed memory.
| Property | Detail |
|---|---|
| **CVE** | CVE-2026-31635 |
| **Component** | `net/rxrpc/rxgk.c` โ `rxgk_decrypt_skb()` |
| **Root cause** | Missing `skb_cow_data()` check before decryption |
| **Impact** | Local privilege escalation to root |
| **Affected kernels** | 6.10 โ 6.13 |
| **Fixed in** | 6.13.2 ยท 6.12.10 ยท 6.6.75 |
---
## Quick Start
Choose the path that matches your goal:
1. **Verify vulnerability**
- Check kernel version and `CONFIG_RXGK`
- Use `./dirtydecrypt --check`
2. **Build the exploit**
- `cd exploit`
- `make`
3. **Read the technical research**
- Start with `docs/vulnerability-analysis.md`
- Review `docs/patch-analysis.md` and `docs/exploit-development.md`
> โ ๏ธ This repository is for authorized research and testing only. Do not use it against systems without explicit permission.
---
## Verify Your System
Run the following checks to determine whether your environment is in scope:
```bash
uname -r
zgrep CONFIG_RXGK /proc/config.gz 2>/dev/null || grep CONFIG_RXGK /boot/config-$(uname -r)
```
If the kernel is in the `6.10โ6.13` range and `CONFIG_RXGK` is enabled, the system may be vulnerable.
Then use the exploit PoC verification mode:
```bash
cd exploit
./dirtydecrypt --check
```
If the check succeeds, the system is vulnerable. If it fails cleanly or reports missing RxRPC support, then the kernel is not exploitable.
---
## Exploit Summary
The exploit uses a malformed RxRPC packet to force the kernel into decrypting into a shared page cache page.
Steps:
1. Select a readable target page from a setuid binary or another sensitive file.
2. Create an RxRPC decryption context with a controlled AES key.
3. Build a dual-fragment SKB where the first fragment maps to the target page and the second fragment contains ciphertext.
4. Call `rxgk_decrypt_skb()` in the kernel.
5. The kernel writes plaintext into the target page cache entry instead of a private buffer.
6. Execute the patched binary to gain root.
The exploit is demonstrated in `exploit/dirtydecrypt.c`.
---
## Affected Systems
### Known vulnerable ranges
- Linux kernel `6.10` through `6.13`
- `CONFIG_RXGK=m` or `CONFIG_RXGK=y`
### Distribution guidance
- **Fedora 40, 41** โ vulnerable on stock kernels until patched
- **Ubuntu 24.10** โ vulnerable on the default 6.11 kernel
- **Debian unstable (Sid)** โ vulnerable on kernels 6.12+ until updated
- **Arch Linux** โ vulnerable until 6.13.2
- **SUSE Linux Enterprise 15 SP7** โ vulnerable on older 6.10 builds until patch
### Not vulnerable
- **RHEL 9** โ older kernel without `rxgk`
- **AWS Linux 2** โ older kernel series
- **Android** โ not affected on typical Android branches
- **GCE Container-Optimized OS** โ `CONFIG_RXGK` disabled by default
---
## How to Use This Repository
### Build the exploit
```bash
git clone https://github.com/0xFuffM3/CVE-2026-31635-DirtyDecrypt.git
cd exploit
make
```
For a fully static binary:
```bash
make static
```
### Run the exploit safely
```bash
./dirtydecrypt --check
```
Example usage:
```bash
./dirtydecrypt -f /usr/bin/sudo -o /tmp/sudo_patched
./dirtydecrypt -p shellcode/payload.bin
```
### Recommended reading order
1. `docs/vulnerability-analysis.md`
2. `docs/exploit-development.md`
3. `docs/patch-analysis.md`
4. `docs/affected-kernels.md`
---
## Mitigation
### Immediate
Disable RxRPC if it is not required:
```bash
sudo rmmod rxrpc
sudo modprobe -r rxgk
echo "blacklist rxrpc" | sudo tee /etc/modprobe.d/blacklist-rxrpc.conf
```
### Permanent
Upgrade to a patched kernel release:
- `6.13.2`
- `6.12.10`
- `6.6.75`
### Detection
Audit relevant socket creation and key operations:
```bash
sudo auditctl -a always,exit -F arch=b64 -S socket -F a0=28 -k rxrpc_sock
```
---
## FAQ
**Q: Can this exploit modify files on disk?**
A: No. The vulnerability corrupts page cache contents only; the backing file on disk remains unchanged unless the page is later flushed.
**Q: Is this vulnerability present on kernels newer than 6.13?**
A: No, the patch was backported and the vulnerable code path is fixed in kernels after 6.13.2.
**Q: What is the safest way to test this?**
A: Use an isolated VM with a stock vulnerable kernel and a disposable user account.
**Q: Where can I find the exploit source?**
A: See `exploit/dirtydecrypt.c` and `exploit/README.md`.
---
## Repository Layout
```text
CVE-2026-31635-DirtyDecrypt/
โโโ README.md
โโโ LICENSE
โโโ DISCLAIMER.md
โโโ CHANGELOG.md
โโโ exploit/
โ โโโ README.md
โ โโโ dirtydecrypt.c
โ โโโ Makefile
โ โโโ shellcode/
โ โโโ payload.asm
โโโ docs/
โโโ vulnerability-analysis.md
โโโ exploit-development.md
โโโ affected-kernels.md
โโโ patch-analysis.md
โโโ references.md
```
---
## References
- [Linux kernel patch โ commit `a2567217`](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a2567217)
- [NVD โ CVE-2026-31635](https://nvd.nist.gov/vuln/detail/CVE-2026-31635)
- [`docs/references.md`](docs/references.md)
---
## License
MIT โ see [LICENSE](LICENSE).
This repository is intended for educational and authorized security research use only.