
Public PoC released for CVE-2026-31635 (DirtyDecrypt), a Linux kernel local privilege escalation flaw discovered by Zellic and V12.
CVE-2026-31635, dubbed DirtyDecrypt (also known as DirtyCBC), is a vulnerability in the Linux kernel that enables LPE (Local Privilege Escalation — moving from an unprivileged user account to root on the same machine). Researchers from Zellic and V12 reported it on May 9, 2026, only to be told by kernel maintainers that it was a *duplicate* of a previously known bug.
A fully functional PoC (proof-of-concept — working exploit code that demonstrates the bug is real and exploitable) is now publicly available. The DirtyDecrypt name is a deliberate nod to DirtyPipe (CVE-2022-0847) and DirtyCow (CVE-2016-5195), two high-profile Linux LPEs that saw widespread exploitation.
An LPE with a public PoC in the Linux kernel is exactly the kind of bug attackers pick up fast. It's not a remote exploit — but that's a thin comfort. If an attacker already has a foothold on your system (via phishing, leaked credentials, or a compromised web app), DirtyDecrypt hands them full root.
The "duplicate" classification adds a layer of uncertainty. The original fix might be incomplete, improperly backported, or simply not yet shipped to downstream distributions. Debian, Ubuntu, RHEL, Fedora, and Alpine all have different backport timelines — don't assume "the kernel is patched" without checking the exact version.
Highest-risk environments: - VPS and cloud servers with multi-user SSH access - CI/CD pipelines where arbitrary code runs on the host - Shared hosting with user-level isolation - Containers without full kernel namespacing that share the host kernel
My take: the "Dirty" branding is intentional and effective — it draws attention. But what actually matters is speed. With a working PoC in the wild, the window between disclosure and active exploitation is measured in hours.
Help more people discover BBLabs News.
Want to get news like this every day?
Browse all articles