DirtyDecrypt (CVE-2026-31635): working PoC out for a Linux kernel LPE flaw. Missing COW guard in rxgk_decrypt_skb lets local attackers reach root.
After Copy Fail, Dirty Frag, and Fragnesia, here comes DirtyDecrypt, another local privilege escalation vulnerability in the kernel, this time with a working proof-of-concept already out in the open.
The flaw was discovered and reported on May 9, 2026 by the Zellic and V12 security team, who kernel maintainers then told that it was a duplicate of something already fixed upstream. No CVE was assigned directly to their report, but the National Vulnerability Database includes a link to the DirtyDecrypt PoC in the record for CVE-2026-31635 (CVSS 7.5), making the connection clear enough. The exploit code is publicly available on GitHub.
“DirtyDecrypt, also known as DirtyCBC, is a variant of CopyFail / DirtyFrag / Fragnesia. We found and reported this on May 9, 2026, but was informed it was a duplicate by the maintainers. We’re releasing it now since it’s patched on mainline.” reads the PoC description. “It’s a rxgk pagecache write due to missing COW guard in rxgk_decrypt_skb. See poc.c for more details.”
The vulnerability resides in the function rxgk_decrypt_skb() that is responsible for decrypting incoming socket buffers in the rxgk subsystem. The core issue is a missing copy-on-write (COW) guard, the mechanism the kernel uses to prevent writes to shared memory pages from bleeding into other processes’ data.
“The specific fault sits in rxgk_decrypt_skb(), the function that decrypts an incoming sk_buff (socket buffer) on the receive side. In this code path the kernel handles memory pages that are partly shared with the page cache of other processes — a normal Linux optimisation protected by copy-on-write: as soon as a write to a shared page happens, a private copy is made beforehand so that the write doesn’t bleed into another process’s data. In rxgk_decrypt_skb() that guard is missing.” reads the analysis published by Moselwal. “A decryption write goes directly to a shared page-cache page, and the write lands in memory that belongs to another, privileged process, or, depending on the exploit path, in the page cache of a privileged file (e.g. /etc/shadow, /etc/sudoers or a SUID binary).”
Without that guard in place, an attacker can write data into the memory of privileged processes or directly into the page cache of sensitive files, think /etc/shadow, /etc/sudoers, or a SUID binary, ultimately achieving root privileges.
DirtyDecrypt does not hit every Linux system. The vulnerability only impacts distributions that compile the kernel with CONFIG_RXGK enabled, which includes Fedora, Arch Linux, and openSUSE Tumbleweed. Standard Ubuntu or Debian installs are not affected. There is one scenario worth flagging separately though: in containerized environments, a vulnerable worker node could provide a path to escape the pod, turning a local privilege escalation into something considerably more impactful in a Kubernetes context.
DirtyDecrypt does not stand alone. Zellic considers it a variant of a cluster of related vulnerabilities that have surfaced over the past few weeks, all sharing the same underlying class of page cache write primitive.
Copy Fail (CVE-2026-31431) came first, disclosed on April 29 by researchers at Theori, a local privilege escalation in the AF_ALG cryptographic socket interface. A week later came Dirty Frag (CVE-2026-43284 and CVE-2026-43500), which extends Copy Fail with two separate page cache write primitives. The disclosure of Dirty Frag had an unusually messy path: researcher Hyunwoo Kim was bound by an agreed embargo, but a patch for CVE-2026-43284 was merged into the public tree on May 5, and another researcher, unaware of the embargo, analyzed the commit and published details independently, collapsing the timeline. Fragnesia (CVE-2026-46300) rounds out the family, bringing the same attack class to the XFRM ESP-in-TCP subsystem.
DirtyDecrypt is arriving in an already crowded few weeks for Linux security. Two other notable flaws deserve attention.
Pack2TheRoot (CVE-2026-41651, CVSS 8.8) is a local privilege escalation in the PackageKit daemon, used for package management across several distributions. And then there is ssh-keysign-pwn (CVE-2026-46333, CVSS 5.5), an improper privilege management flaw in the kernel that lets an unprivileged local user read root-owned secrets including SSH private keys. Not remotely exploitable on its own, but in multi-user environments or partially compromised systems it is exactly the kind of primitive that completes an attack chain.
The message for anyone managing exposed Linux systems is straightforward: check whether CONFIG_RXGK is enabled in your kernel configuration, apply available updates, and do not wait too long, working PoC code is already public, and the gap between publication and active exploitation tends to close faster than patch deployment cycles allow.
The first computer my family owned was an 80286 IBM clone, and it had lots of ports, none of which looked the same. There was a big 5-pin DIN for the keyboard, a serial port, a parallel port, a game port for our joystick, and of course, the VGA port for the monitor.
In comparison, a modern computer has much less diversity in the port department. Not only are there fewer types of ports, but the total number may be quite low as well. When we move to modern laptops, it can be much more minimalist. Some laptops have just a single port on the entire machine! Is this a bad thing? As with anything, the extremes are rarely ideal, but I’d say overall, this has been a pretty positive development for PCs.
The port explosion era was never sustainable
It was more like a port infection
You see, the reason we had so many ports for so long is that people kept inventing new interfaces to make up for the shortcomings of existing ones. However, instead of the newer, better interfaces making the old ones obsolete, they just became additive as perfectly summarized in this classic XKCD comic.
Credit: Randall Munroe (CC-BY-NC)
In laptops, the need for so many ports reached ridiculous heights. In this video posted by X user PC Philanthropy, you can see his Sager/Clevo D9T absolutely packed with all the trimmings leading to a rather massive laptop.
It is undeniably a cool machine, but obviously goes against the principle of portable computing. Also, every port you install means power and space that could have been taken up by something else. That’s true for laptops and desktops.
Quiz
8 Questions · Test Your Knowledge
PC ports and motherboard I/O Trivia challenge
Think you know your USB from your PCIe? Put your connector knowledge to the test.
PortsStandardsHardwareConnectorsMotherboards
Which USB connector type is fully reversible, meaning it can be plugged in either way?
Correct! USB Type-C features a symmetrical oval design that lets you insert it in either orientation. Introduced in 2014, it has become the dominant connector for modern devices and supports everything from data transfer to video output and fast charging.
Not quite — the answer is USB Type-C. The older USB Type-A connector (the flat rectangular one) famously required you to flip it at least twice before getting it right. USB Type-C’s reversible design was one of its biggest selling points when it launched in 2014.
What does the ‘x16’ in a PCIe x16 slot refer to?
Exactly right! PCIe x16 means the slot has 16 data lanes, allowing significantly more bandwidth than smaller x1 or x4 slots. This is why discrete graphics cards almost always use x16 slots — they need that extra throughput to feed pixel data to your display.
Not quite — the ‘x16’ refers to the number of data lanes. More lanes mean more simultaneous data paths between the CPU and the card. Graphics cards use x16 slots because their massive data demands require all 16 of those lanes working together.
Which port on a motherboard is most commonly used to connect a display directly to the CPU’s integrated graphics?
That’s correct! The HDMI and DisplayPort connectors found on a motherboard’s rear I/O panel are wired directly to the CPU’s integrated graphics unit. If you have a discrete GPU installed, you should use that card’s outputs instead for best performance.
The right answer is the HDMI or DisplayPort connectors on the rear I/O panel. These ports bypass the discrete GPU entirely and tap into the CPU’s built-in graphics. It’s a common troubleshooting trap — plugging a monitor into the motherboard instead of the GPU and wondering why nothing works.
What is the primary function of the 24-pin ATX connector on a motherboard?
Spot on! The 24-pin ATX connector is the main power connector that delivers multiple voltage rails — including 3.3V, 5V, and 12V — from the power supply to the motherboard. Without it seated properly, your PC simply won’t power on at all.
The correct answer is delivering power from the PSU to the motherboard. The 24-pin ATX connector is the big wide plug you’ll find on every modern motherboard. It supplies several different voltage levels that the board distributes to components. PCIe cards get their supplemental power from separate 6- or 8-pin connectors directly from the PSU.
Which of the following rear I/O ports transmits both audio and video in a single cable and is most commonly found on modern motherboards?
Correct! HDMI carries both high-definition audio and video over a single cable, making it one of the most convenient display connectors available. It became standard on motherboards as integrated graphics improved, and modern versions support 4K and even 8K resolutions.
The answer is HDMI. VGA is analog-only and carries no audio, DVI-D is digital video only without audio, and S-Video is an older analog format. HDMI bundles both audio and video digitally, which is why it became the go-to connector for TVs, monitors, and motherboard rear panels alike.
What maximum theoretical data transfer speed does USB 3.2 Gen 2×2 support?
Impressive! USB 3.2 Gen 2×2 achieves 20 Gbps by using two 10 Gbps lanes simultaneously — that’s what the ‘2×2’ means. It requires a USB Type-C connector and is most commonly found on high-end motherboards, making it ideal for fast external SSDs.
The correct answer is 20 Gbps. The ‘2×2’ in the name is the key clue — it bonds two 10 Gbps channels together. USB naming got notoriously confusing around this era, with the same physical port potentially supporting very different speeds depending on the generation label printed in the spec sheet.
What is the role of the M.2 slot found on most modern motherboards?
Well done! M.2 is a compact form-factor slot that most commonly hosts NVMe SSDs, which connect via PCIe lanes for blazing-fast storage speeds. Some M.2 slots also support SATA-based SSDs and Wi-Fi/Bluetooth combo cards, making the slot surprisingly versatile.
The correct answer is housing compact storage drives or wireless cards. M.2 replaced the older mSATA standard and supports both PCIe NVMe drives and SATA drives depending on the slot’s keying. NVMe M.2 drives can achieve sequential read speeds many times faster than traditional SATA SSDs.
Which audio connector color on a standard PC rear I/O panel is designated for the main stereo line output to speakers or headphones?
That’s right! The green 3.5mm jack is the standard line-out port used for speakers and headphones in the PC audio color-coding scheme. Blue is line-in for recording, and pink is the microphone input — a color system that’s been consistent across PC motherboards for decades.
The correct answer is green. PC audio jacks follow a long-standing color convention: green for headphones and speakers, blue for line-in (recording from external sources), and pink for the microphone. It’s one of those legacy standards that has quietly persisted even as USB and digital audio have become more common.
Challenge Complete
Your Score
/ 8
Thanks for playing!
USB-C (almost) solved the problem
So close, but not quite there yet
Released to the public in the mid ’90s, USB came to the rescue. The “U” is for “Universal” and for the most part USB has lived up to that promise. Now there was one port that handled data and power. More importantly, USB is fully backwards compatible. So if you plug a USB 1.1 device into a modern USB port, it should work. Whether you can get software drivers for it is another story, but it will talk to the host device.
USB-C has proven to be less universal than I’d like, and the situation is still far better than it used to be. A single USB-C port on one of my laptops can act as a video output for just about anything, even an old VGA monitor.
Credit: Sydney Louw Butler/How-To Geek
My smaller laptops don’t need special chargers anymore, and the latest laptops can pull 240W over USB-C, which is enough for all but the beefiest desktop replacement machines. There is no type of peripheral I can think of that doesn’t give you the option to use it over USB.
But the complaints aren’t so much that we only get USB these days, it’s more that we get so little of it.
Minimal I/O enables better hardware design
Harder, better, faster, stronger
When you only put a handful of USB-C ports on a mobile computer, you reap numerous benefits. The low profile of USB-C means the laptop can be thinner, and the frame can be a stronger and more rigid unibody design. Internally, you have room for more battery, larger performance components, or better cooling.
Credit: Patrick Campanale / How-To Geek
It also means the internals can be simpler, and cheaper to design and fabricate, though whether those savings are passed on to customers is another story altogether.
Wireless and cloud-first workflows reduce physical dependency
I guess they are “air” ports
Perhaps the first sign of major change was when smartphones dropped headphone jacks, but the fact is that wireless technologies are now good enough for most peripheral and data connections. So, there’s no need to connect them directly to a port on a computer. Which, in turn, means that there’s no reason to have as many ports on the computer in the first place.
I can’t remember the last time I used a wired mouse or keyboard, and I only use Ethernet for devices that need extremely high speeds, low latency, or improved reliability. For normal day-to-day use, modern Wi-Fi is just fine. So while your laptop might not have as many wired ports on the outside, those wireless chips on the inside still give it numerous connectivity options for audio, input, and data transfer.
You could even make the same argument about storage to some extent, with many thin and light systems leaning on cloud storage to make up for a lack of ports to connect external storage.
Operating System
macOS
CPU
A18 Pro
The MacBook Neo with the A18 Pro chip is Apple’s most affordable laptop yet, with all-day battery life and buttery-smooth performance in a thin and light profile.
The dongle backlash misses the bigger picture
The last bit of the port protest centers around dongles, but I never understood the complaints. Having one port that can be broken out into whatever ports you need using a little box is amazing. It makes ports optional and gives you the choice. If you never plug your laptop into anything, why deal with all the ports you’ll never use?
Likewise, if you only ever use ports with your laptop when you dock it at a desk, then you can just leave your dongle ready to go on your desk, but throwing a small dongle in your laptop sleeve or bag in case you might need it is a small price to pay for all the benefits of minimal IO.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
May 20, 2026
