What should I do about this? (1)

Run `uname -r` and verify your kernel version against the official distro advisory before assuming you're patched.

What should I do about this? (2)

Prioritize kernel updates on CI/CD runners, shared VPS, and any host where untrusted users execute code.

What should I do about this? (3)

Add SIEM rules to flag unexpected UID changes or SUID binary executions linked to CVE-2026-31635.

CVE-2026-31635 DirtyDecrypt: public PoC for Linux kernel LPE

Public PoC released for CVE-2026-31635 (DirtyDecrypt), a Linux kernel local privilege escalation flaw discovered by Zellic and V12.

by Gorka El Bochi Morillo

2 min read

·May 26, 2026

What happened

CVE-2026-31635, dubbed DirtyDecrypt (also known as DirtyCBC), is a vulnerability in the Linux kernel that enables LPE (Local Privilege Escalation — moving from an unprivileged user account to root on the same machine). Researchers from Zellic and V12 reported it on May 9, 2026, only to be told by kernel maintainers that it was a *duplicate* of a previously known bug.

A fully functional PoC (proof-of-concept — working exploit code that demonstrates the bug is real and exploitable) is now publicly available. The DirtyDecrypt name is a deliberate nod to DirtyPipe (CVE-2022-0847) and DirtyCow (CVE-2016-5195), two high-profile Linux LPEs that saw widespread exploitation.

Why it matters

An LPE with a public PoC in the Linux kernel is exactly the kind of bug attackers pick up fast. It's not a remote exploit — but that's a thin comfort. If an attacker already has a foothold on your system (via phishing, leaked credentials, or a compromised web app), DirtyDecrypt hands them full root.

The "duplicate" classification adds a layer of uncertainty. The original fix might be incomplete, improperly backported, or simply not yet shipped to downstream distributions. Debian, Ubuntu, RHEL, Fedora, and Alpine all have different backport timelines — don't assume "the kernel is patched" without checking the exact version.

Highest-risk environments: - VPS and cloud servers with multi-user SSH access - CI/CD pipelines where arbitrary code runs on the host - Shared hosting with user-level isolation - Containers without full kernel namespacing that share the host kernel

What to do

Check your exact kernel version with `uname -r` and cross-reference it against your distribution's official advisory before assuming you're safe.
Apply the kernel patch as soon as it lands in your distro. On Debian/Ubuntu: `apt-get update && apt-get upgrade linux-image-*`. On RHEL/CentOS: `yum update kernel`.
Prioritize machines where untrusted users can execute code: CI/CD runners, shared dev environments, multi-tenant VPS.
Check system logs for anomalous privilege escalation attempts — `/var/log/auth.log` and `dmesg` are your first stop on Linux.
If you run a SIEM (centralized log and alert platform), add a rule to detect suspicious SUID binary execution or unexpected UID changes.

My take: the "Dirty" branding is intentional and effective — it draws attention. But what actually matters is speed. With a working PoC in the wild, the window between disclosure and active exploitation is measured in hours.

Help more people discover BBLabs News.

CVE-2026-31635 DirtyDecrypt: public PoC for Linux kernel LPE

Download image

LinkedIn X WhatsApp

Destacado

CVE24 may 2026

CVE-2026-34926: Apex One zero-day actively exploited

CVE-2026-34926, a directory traversal zero-day in TrendAI Apex One on-premise, is being actively exploited in the wild; patch is available.

Apply TrendAI's Apex One on-premise hotfix immediately — no delays.
Search Apex One server logs for `../` and `%2e%2e%2f` path patterns.
Restrict Apex One admin panel access to trusted network segments only.

Gorka El Bochi Morillo

Leer artículo

Want to get news like this every day?

Browse all articles