Share
## https://sploitus.com/exploit?id=52E2B1D3-F89F-58A5-A1F3-B7D71B13F551
# ๐Ÿฉธ **CVE-2026-31635 โ€“ DirtyDecrypt**

**Linux Kernel Local Privilege Escalation via RXGK Page Cache Corruption**

![Version](https://img.shields.io/badge/Kernel-6.10+-red)
![Severity](https://img.shields.io/badge/Severity-High-critical)
![Exploit](https://img.shields.io/badge/Exploit-Public-brightgreen)

### **"DirtyDecrypt"** โ€” Part of the 2026 "Dirty" family exploits



---

## ๐Ÿ“– **Overview**

**DirtyDecrypt** (CVE-2026-31635) is a **local privilege escalation** vulnerability in the Linux kernel's `rxrpc` subsystem (specifically the `rxgk` component). 

It abuses a **missing Copy-on-Write (COW)** check during AES-CBC decryption, allowing an unprivileged user to corrupt page cache and achieve **arbitrary file writes**, leading to **root** access.

---

## โœจ **Features**

- โœ… Clean & well-commented C code
- โœ… User + Network namespace support
- โœ… Reliable page cache write primitive
- โœ… Targets `/etc/passwd` (blank root password)
- โœ… Easy to modify for SUID binaries or other targets
- โœ… Static compilation support

---

## ๐Ÿ› ๏ธ **Affected Systems**

- **Vulnerable Kernels**: 6.10 ~ 6.13 (with `CONFIG_RXGK=y`)
- **Common Distros**: Fedora, Arch Linux, openSUSE Tumbleweed, custom kernels
- **Not Vulnerable**: Kernels before ~6.10 or those with `CONFIG_RXGK=n`

---

## ๐Ÿ“‹ **Requirements**

- Linux kernel with `CONFIG_RXGK` enabled
- Unprivileged local user access
- `AF_RXRPC` socket support
- `keyctl` utility (for rxrpc keys)

---

## ๐Ÿš€ **Compilation**

```bash
git clone https://github.com/0xBlackash/DirtyDecrypt.git
cd DirtyDecrypt
gcc -O2 -static -pthread CVE-2026-31635.c -o DirtyDecrypt
```

---

## ๐Ÿ’ฅ **Usage**

```bash
sudo ./DirtyDecrypt
```

**Expected successful output:**
```bash
[+] === DirtyDecrypt v2 - CVE-2026-31635 ===
[+] User + Network namespace created
[+] Starting attack on /etc/passwd...
[+] SUCCESS! Got root!
uid=0(root) gid=0(root) groups=0(root)
```

---

## ๐Ÿ“ **Repository Structure**

```bash
DirtyDecrypt/
โ”œโ”€โ”€ CVE-2026-31635.c          # Main exploit
โ”œโ”€โ”€ README.md                 # This file
โ”œโ”€โ”€ Makefile                  # Optional
โ””โ”€โ”€ exploit.log               # Optional output log
```

---

## ๐Ÿ”ฌ **How It Works (Technical)**

1. Enters User + Network namespace
2. Adds RXGK key to keyring
3. Uses `AF_RXRPC` sockets + `splice()` to force page cache pages into the RXGK decryption path
4. Triggers in-place AES-CBC decryption without `skb_cow_data()`
5. Corrupts target file (`/etc/passwd`) byte-by-byte using sliding window technique
6. Blanks root password โ†’ spawns root shell

---

## โš ๏ธ **Disclaimer**

> This exploit is for **educational and authorized security testing** only.  
> Unauthorized use on systems you do not own is illegal.

---

## ๐Ÿ“œ **Credits & Author**

- **Exploit Author**: Ashraf Zaryouh "0xBlackash"
- **Original Discovery**: Security researchers (2026)
- **PoC Version**: v2.1 (May 2026)

---



**โญ Star this repo if it helped you!**

**Made with โค๏ธ for the research community**