Will Dormann1d ago

There's apparently another Linux LPE.
DirtyDecrypt, also known as DirtyCBC, is a variant of CopyFail / DirtyFrag / Fragnesia.
I suspect it may be CVE-2026-31635.
Patches (change < to >) were committed on April 8, 2026 and also on April 18, 2026 as beee051f259acd286fed64c32c2b31e6f5097eb5 and e2f1a80d8b1ed6a5ae585a399c2b46500bdcc305

I have not been able to get it to actually work on any Linux distro that I've tried.
(Edit: Fedora and mainline Linux repro fine)

Show threadWill Dormann

Apparently exploitation requires CONFIG_RXGK, which most distros don't ship

Except for Fedora.
Or another distro that is running the mainline Linux kernel.

May 17 at 4:29pmWeb
Show threadWill Dormann1d ago

Also, the Dirty Frag mitigation protects against this variant as well:

sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true"
Show threadViraptor1d ago
@wdormann
Alternatively, load the modules you need and may potentially need in the future (plugged in filesystems?) and prevent loading anything else "sysctl -w kernel.modules_disabled=1" - it will cover a few new exploits as well.
Show thread2rad01d ago

@wdormann

CONFIG_RXGK seems to have been added some time between 6.12, and 6.18. At this point, I'm going to disable splice(2) and see how bad the fallout is when it returns -ENOSYS