BBLabs NewsBBLabs News
NewsAll articlesTopics
ES
BBLabs NewsBBLabs News

BBLabs News

Una historia al día. Cero ruido.

Newsletter técnica de ciberseguridad. Una historia al día sobre CVEs críticos, brechas, bug bounty e IA. Filtrado por IA, escrito para humanos.

Producto

  • Hemeroteca
  • Ediciones
  • Temas
  • Glosario
  • RSS
  • Atom
  • JSON Feed

Editorial

  • Acerca de
  • Suscribirse
  • Cuenta
  • English

Legal

  • Privacidad
  • Términos
  • Contacto: team@bblabs.es

Conectar

  • YouTube · @0xGorka
  • Instagram · @bblabs.es
  • Discord BBLabs
  • Discord Bug Bounty ES
31 artículos·10 ediciones·Desde 2026·Hecho en España
© 2026 BBLabs News·Por Gorka El Bochi
BBLabs NewsBBLabs News
NewsAll articlesTopics
ES
CVE-2026-31635 DirtyDecrypt: public PoC for Linux kernel LPE
Back to homeCVE

CVE-2026-31635 DirtyDecrypt: public PoC for Linux kernel LPE

Public PoC released for CVE-2026-31635 (DirtyDecrypt), a Linux kernel local privilege escalation flaw discovered by Zellic and V12.

  1. Home
  2. ›
  3. CVE
  4. ›
  5. CVE-2026-31635 DirtyDecrypt: public PoC for Linux kernel LPE
by Gorka El Bochi Morillo
·
2 min read
·May 26, 2026

What happened

CVE-2026-31635, dubbed DirtyDecrypt (also known as DirtyCBC), is a vulnerability in the Linux kernel that enables LPE (Local Privilege Escalation — moving from an unprivileged user account to root on the same machine). Researchers from Zellic and V12 reported it on May 9, 2026, only to be told by kernel maintainers that it was a *duplicate* of a previously known bug.

A fully functional PoC (proof-of-concept — working exploit code that demonstrates the bug is real and exploitable) is now publicly available. The DirtyDecrypt name is a deliberate nod to DirtyPipe (CVE-2022-0847) and DirtyCow (CVE-2016-5195), two high-profile Linux LPEs that saw widespread exploitation.

Why it matters

An LPE with a public PoC in the Linux kernel is exactly the kind of bug attackers pick up fast. It's not a remote exploit — but that's a thin comfort. If an attacker already has a foothold on your system (via phishing, leaked credentials, or a compromised web app), DirtyDecrypt hands them full root.

The "duplicate" classification adds a layer of uncertainty. The original fix might be incomplete, improperly backported, or simply not yet shipped to downstream distributions. Debian, Ubuntu, RHEL, Fedora, and Alpine all have different backport timelines — don't assume "the kernel is patched" without checking the exact version.

Highest-risk environments: - VPS and cloud servers with multi-user SSH access - CI/CD pipelines where arbitrary code runs on the host - Shared hosting with user-level isolation - Containers without full kernel namespacing that share the host kernel

What to do

  • Check your exact kernel version with `uname -r` and cross-reference it against your distribution's official advisory before assuming you're safe.
  • Apply the kernel patch as soon as it lands in your distro. On Debian/Ubuntu: `apt-get update && apt-get upgrade linux-image-*`. On RHEL/CentOS: `yum update kernel`.
  • Prioritize machines where untrusted users can execute code: CI/CD runners, shared dev environments, multi-tenant VPS.
  • Check system logs for anomalous privilege escalation attempts — `/var/log/auth.log` and `dmesg` are your first stop on Linux.
  • If you run a SIEM (centralized log and alert platform), add a rule to detect suspicious SUID binary execution or unexpected UID changes.

My take: the "Dirty" branding is intentional and effective — it draws attention. But what actually matters is speed. With a working PoC in the wild, the window between disclosure and active exploitation is measured in hours.

What to do

  • Run `uname -r` and verify your kernel version against the official distro advisory before assuming you're patched.
  • Prioritize kernel updates on CI/CD runners, shared VPS, and any host where untrusted users execute code.
  • Add SIEM rules to flag unexpected UID changes or SUID binary executions linked to CVE-2026-31635.

Share this story

Help more people discover BBLabs News.

CVE-2026-31635 DirtyDecrypt: public PoC for Linux kernel LPE
VerticalDownload image
LinkedInXWhatsApp

Interested in CVE?

Subscribe to this stream and get the most relevant news every day — no spam, no noise.

Subscribe

Related articles

Destacado
CVE1 jun 2026·2 min

Microsoft removes GitHub account over public zero-day drops

Microsoft removes GitHub account of researcher who publicly dropped zero-days without coordinated disclosure, then publicly endorses CVD.

  • Document timestamps and vendor responses before publishing any zero-day.
  • Use neutral platforms for disclosure if the vendor ignores your 90-day window.
  • Review GitHub's Acceptable Use Policy before publishing Microsoft vuln research.
Gorka El Bochi Morillo
Leer artículo
CVE31 may 2026·2 min

Emergency SharePoint patch: update now

Microsoft issued an out-of-band SharePoint patch, signaling active exploitation or critical severity outside the normal Patch Tuesday cycle.

Leer artículo
CVE26 may 2026·2 min

SharePoint RCE CVE-2026-45659 patched — CVSS 8.8

Microsoft patches CVE-2026-45659 in SharePoint Server — RCE via untrusted data deserialization, CVSS 8.8, no special attack conditions required.

Leer artículo

Want to get news like this every day?

Browse all articles
BBLabs NewsBBLabs News

BBLabs News

Una historia al día. Cero ruido.

Newsletter técnica de ciberseguridad. Una historia al día sobre CVEs críticos, brechas, bug bounty e IA. Filtrado por IA, escrito para humanos.

Producto

  • Hemeroteca
  • Ediciones
  • Temas
  • Glosario
  • RSS
  • Atom
  • JSON Feed

Editorial

  • Acerca de
  • Suscribirse
  • Cuenta
  • English

Legal

  • Privacidad
  • Términos
  • Contacto: team@bblabs.es

Conectar

  • YouTube · @0xGorka
  • Instagram · @bblabs.es
  • Discord BBLabs
  • Discord Bug Bounty ES
31 artículos·10 ediciones·Desde 2026·Hecho en España
© 2026 BBLabs News·Por Gorka El Bochi