Share
## https://sploitus.com/exploit?id=52E2B1D3-F89F-58A5-A1F3-B7D71B13F551
# ๐ฉธ **CVE-2026-31635 โ DirtyDecrypt**
**Linux Kernel Local Privilege Escalation via RXGK Page Cache Corruption**



### **"DirtyDecrypt"** โ Part of the 2026 "Dirty" family exploits
---
## ๐ **Overview**
**DirtyDecrypt** (CVE-2026-31635) is a **local privilege escalation** vulnerability in the Linux kernel's `rxrpc` subsystem (specifically the `rxgk` component).
It abuses a **missing Copy-on-Write (COW)** check during AES-CBC decryption, allowing an unprivileged user to corrupt page cache and achieve **arbitrary file writes**, leading to **root** access.
---
## โจ **Features**
- โ
Clean & well-commented C code
- โ
User + Network namespace support
- โ
Reliable page cache write primitive
- โ
Targets `/etc/passwd` (blank root password)
- โ
Easy to modify for SUID binaries or other targets
- โ
Static compilation support
---
## ๐ ๏ธ **Affected Systems**
- **Vulnerable Kernels**: 6.10 ~ 6.13 (with `CONFIG_RXGK=y`)
- **Common Distros**: Fedora, Arch Linux, openSUSE Tumbleweed, custom kernels
- **Not Vulnerable**: Kernels before ~6.10 or those with `CONFIG_RXGK=n`
---
## ๐ **Requirements**
- Linux kernel with `CONFIG_RXGK` enabled
- Unprivileged local user access
- `AF_RXRPC` socket support
- `keyctl` utility (for rxrpc keys)
---
## ๐ **Compilation**
```bash
git clone https://github.com/0xBlackash/DirtyDecrypt.git
cd DirtyDecrypt
gcc -O2 -static -pthread CVE-2026-31635.c -o DirtyDecrypt
```
---
## ๐ฅ **Usage**
```bash
sudo ./DirtyDecrypt
```
**Expected successful output:**
```bash
[+] === DirtyDecrypt v2 - CVE-2026-31635 ===
[+] User + Network namespace created
[+] Starting attack on /etc/passwd...
[+] SUCCESS! Got root!
uid=0(root) gid=0(root) groups=0(root)
```
---
## ๐ **Repository Structure**
```bash
DirtyDecrypt/
โโโ CVE-2026-31635.c # Main exploit
โโโ README.md # This file
โโโ Makefile # Optional
โโโ exploit.log # Optional output log
```
---
## ๐ฌ **How It Works (Technical)**
1. Enters User + Network namespace
2. Adds RXGK key to keyring
3. Uses `AF_RXRPC` sockets + `splice()` to force page cache pages into the RXGK decryption path
4. Triggers in-place AES-CBC decryption without `skb_cow_data()`
5. Corrupts target file (`/etc/passwd`) byte-by-byte using sliding window technique
6. Blanks root password โ spawns root shell
---
## โ ๏ธ **Disclaimer**
> This exploit is for **educational and authorized security testing** only.
> Unauthorized use on systems you do not own is illegal.
---
## ๐ **Credits & Author**
- **Exploit Author**: Ashraf Zaryouh "0xBlackash"
- **Original Discovery**: Security researchers (2026)
- **PoC Version**: v2.1 (May 2026)
---
**โญ Star this repo if it helped you!**
**Made with โค๏ธ for the research community**