INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

DirtyDecrypt Linux Root Exploit Vulnerability

| 2026-05-20 07:36 CRITICAL MEDIUM
JSON
Executive Summary AI-generated
The recent discovery of DirtyDecrypt, a local privilege escalation vulnerability in the kernel, has sent shockwaves through the cybersecurity community. This exploit, which was first reported on April 29 by researchers at Theori, is particularly concerning as it can be used to gain access to sensitive data and systems within containerized environments. With multiple vulnerabilities already identified, including Copy Fail, DirtyDecrypt poses a significant threat to Linux-based infrastructure. As more details emerge about this attack, the potential consequences for organizations relying on these systems become increasingly clear.
Technical Mitigations AI-generated
* Implement COW (Copy-On-Write) guards: Ensure that shared memory pages are protected by a copy-on-write mechanism, preventing writes to shared pages from bleeding into other processes' data. * Use secure socket buffer decryption mechanisms: Implement secure and robust socket buffer decryption mechanisms, such as those provided by the `rxgk_decrypt_skb()` function in the Linux kernel, to prevent local privilege escalation vulnerabilities like DirtyDecrypt. * Regularly update and patch operating systems: Keep all operating systems, including Linux distributions, up-to-date with the latest security patches and updates to ensure that known vulnerabilities are addressed before they can be exploited by attackers. * Implement secure coding practices in development environments: Ensure that developers follow best practices for secure coding, such as using secure socket buffer decryption mechanisms, validating input data, and implementing access controls to prevent unauthorized access to sensitive resources.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-31431CVE-2026-31431 CVE-2026-43500CVE-2026-43500 CVE-2026-46333CVE-2026-46333 CVE-2026-43284CVE-2026-43284 CVE-2026-31635CVE-2026-31635 CVE-2026-41651CVE-2026-41651 CVE-2026-46300CVE-2026-46300
Target & Sectors
Global Scope
Incident Timeline
‎April 25
Tharros patched CVE-2026-31635 on April 25.
vulnerability CVE-2026-31635
" While there is no official CVE ID associated with this security flaw, according to Will Dormann (principal vulnerability analyst at Tharros), the information from the security researchers aligns with the details of CVE-2026-31635 , which was patched on April 25.
organisation Tharros
" While there is no official CVE ID associated with this security flaw, according to Will Dormann (principal vulnerability analyst at Tharros), the information from the security researchers aligns with the details of CVE-2026-31635 , which was patched on April 25.
‎April 29
Threat actors exploited a local privilege escalation vulnerability in the AF_ALG cryptographic socket interface to target researchers at Theori.
tactic Privilege Escalation
Copy Fail (CVE-2026-31431) came first, disclosed on April 29 by researchers at Theori, a local privilege escalation in the AF_ALG cryptographic socket interface.
organisation CVE-2026-31431
Copy Fail (CVE-2026-31431) came first, disclosed on April 29 by researchers at Theori, a local privilege escalation in the AF_ALG cryptographic socket interface.
organisation Copy Fail
Copy Fail (CVE-2026-31431) came first, disclosed on April 29 by researchers at Theori, a local privilege escalation in the AF_ALG cryptographic socket interface.
organisation Theori
Copy Fail (CVE-2026-31431) came first, disclosed on April 29 by researchers at Theori, a local privilege escalation in the AF_ALG cryptographic socket interface.
‎April 29, 2026
Threat actors exploited a local privilege escalation flaw in the AF_ALG cryptographic socket interface to gain unauthorized access.
tactic Privilege Escalation
Copy Fail , a local privilege escalation flaw in the AF_ALG cryptographic socket interface, was disclosed by researchers at Theori on April 29, 2026.
‎May 1
Threat actors used a previously undisclosed Linux flaw to target the Cybersecurity and Infrastructure Security Agency (CISA) on May 1.
infrastructure Linux
The Cybersecurity and Infrastructure Security Agency (CISA) added Copy Fail to its list of flaws exploited in attacks on May 1 and ordered federal agencies to secure their Linux devices within two weeks, by May 15.
‎May 5
The researcher who published details of the CVE-2026-43284 flaw was forced to disclose it publicly due to a premature merge into the public tree on May 5.
vulnerability CVE-2026-43284
The disclosure of Dirty Frag had an unusually messy path: researcher Hyunwoo Kim was bound by an agreed embargo, but a patch for CVE-2026-43284 was merged into the public tree on May 5, and another researcher, unaware of the embargo, analyzed the commit and published details independently , collapsing the timeline.
However, security researcher Hyunwoo Kim was forced to go ahead with public disclosure after the agreed-upon embargo window ended prematurely when a merged patch for CVE-2026-43284 on May 5 led another researcher, who was unaware of the embargo, to analyze and independently publish details of the defect.
‎May 9, 2026
The vulnerability, dubbed DirtyDecrypt or DirtyCBC, was discovered and reported by the Zellic and V12 security team on May 9, 2026.
organisation V12
The flaw was discovered and reported on May 9, 2026 by the Zellic and V12 security team, who kernel maintainers then told that it was a duplicate of something already fixed upstream.
Dubbed DirtyDecrypt (aka DirtyCBC), the vulnerability was discovered and reported by the Zellic and V12 security team on May 9, 2026, only to be informed by the maintainers that it was a duplicate of a vulnerability that had already been patched in the mainline.
organisation Kubernetes
There is one scenario worth flagging separately though: in containerized environments, a vulnerable worker node could provide a path to escape the pod, turning a local privilege escalation into something considerably more impactful in a Kubernetes context.
organisation PackageKit
Pack2TheRoot ( CVE-2026-41651 , CVSS 8.8) is a local privilege escalation in the PackageKit daemon, used for package management across several distributions.
infrastructure Linux
In this code path the kernel handles memory pages that are partly shared with the page cache of other processes — a normal Linux optimisation protected by copy-on-write: as soon as a write to a shared page happens, a private copy is made beforehand so that the write doesn’t bleed into another process’s data.
DirtyDecrypt does not hit every Linux system.
The vulnerability only impacts distributions that compile the kernel with CONFIG_RXGK enabled, which includes Fedora, Arch Linux, and openSUSE Tumbleweed.
DirtyDecrypt is arriving in an already crowded few weeks for Linux security.
Patches and advisories for CVE-2026-46333 are already available from the major distributions: AlmaLinux , Amazon Linux , CloudLinux , Fedora , Gentoo , Red Hat , SUSE , and Ubuntu .
The message for anyone managing exposed Linux systems is straightforward: check whether CONFIG_RXGK is enabled in your kernel configuration, apply available updates, and do not wait too long, working PoC code is already public, and the gap between publication and active exploitation tends to close faster than patch deployment cycles allow.
Follow me on Twitter:  @securityaffairs  and  Facebook  and  Mastodon Pierluigi Paganini ( SecurityAffairs  – hacking, Linux)
organisation CONFIG_RXGK
The vulnerability only impacts distributions that compile the kernel with CONFIG_RXGK enabled, which includes Fedora, Arch Linux, and openSUSE Tumbleweed.
organisation Fedora
The vulnerability only impacts distributions that compile the kernel with CONFIG_RXGK enabled, which includes Fedora, Arch Linux, and openSUSE Tumbleweed.
organisation AlmaLinux
Patches and advisories for CVE-2026-46333 are already available from the major distributions: AlmaLinux , Amazon Linux , CloudLinux , Fedora , Gentoo , Red Hat , SUSE , and Ubuntu .
organisation Amazon
Patches and advisories for CVE-2026-46333 are already available from the major distributions: AlmaLinux , Amazon Linux , CloudLinux , Fedora , Gentoo , Red Hat , SUSE , and Ubuntu .
organisation CloudLinux
Patches and advisories for CVE-2026-46333 are already available from the major distributions: AlmaLinux , Amazon Linux , CloudLinux , Fedora , Gentoo , Red Hat , SUSE , and Ubuntu .
organisation SecurityAffairs
Follow me on Twitter:  @securityaffairs  and  Facebook  and  Mastodon Pierluigi Paganini ( SecurityAffairs  – hacking, Linux)
organisation CVE
No CVE was assigned directly to their report, but the National Vulnerability Database includes a link to the DirtyDecrypt PoC in the record for CVE-2026-31635 (CVSS 7.5), making the connection clear enough.
organisation DirtyDecrypt PoC
No CVE was assigned directly to their report, but the National Vulnerability Database includes a link to the DirtyDecrypt PoC in the record for CVE-2026-31635 (CVSS 7.5), making the connection clear enough.
organisation CVE-2026
A week later came Dirty Frag (CVE-2026-43284 and CVE-2026-43500), which extends Copy Fail with two separate page cache write primitives.
organisation CVE-2026-46300
Fragnesia (CVE-2026-46300) rounds out the family, bringing the same attack class to the XFRM ESP-in-TCP subsystem.
organisation Fragnesia
Fragnesia (CVE-2026-46300) rounds out the family, bringing the same attack class to the XFRM ESP-in-TCP subsystem.
organisation SSH
And then there is ssh-keysign-pwn ( CVE-2026-46333 , CVSS 5.5), an improper privilege management flaw in the kernel that lets an unprivileged local user read root-owned secrets including SSH private keys.
organisation DirtyCBC
“DirtyDecrypt, also known as DirtyCBC, is a variant of CopyFail / DirtyFrag / Fragnesia.
organisation CopyFail / DirtyFrag / Fragnesia
“DirtyDecrypt, also known as DirtyCBC, is a variant of CopyFail / DirtyFrag / Fragnesia.
organisation Moselwal
reads the analysis published by Moselwal .
‎May 15
Threat actors used a previously disclosed Linux flaw to target the Cybersecurity and Infrastructure Security Agency (CISA).
infrastructure Linux
The Cybersecurity and Infrastructure Security Agency (CISA) added Copy Fail to its list of flaws exploited in attacks on May 1 and ordered federal agencies to secure their Linux devices within two weeks, by May 15.
‎2026/05/20
Linux kernel vulnerability allows local attackers to gain root access.
infrastructure Linux
Proof-of-concept (PoC) exploit code has now been released for a recently patched security flaw in the Linux kernel that could allow for local privilege escalation (LPE).
A recently patched local privilege escalation vulnerability in the Linux kernel's rxgk module now has a proof-of-concept exploit that allows attackers to gain root access on some Linux systems.
In April, Linux distros rolled out patches for another root-privilege escalation vulnerability (dubbed Pack2TheRoot) in the PackageKit daemon that had gone unnoticed for almost 12 years.
The development dovetails with the discovery of an LPE flaw in the Linux PackageKit daemon ( CVE-2026-41651  aka Pack2TheRoot, CVSS score: 8.8) and an improper privilege management flaw in the kernel ( CVE-2026-46333  aka  ssh-keysign-pwn , CVSS score: 5.5), which allows an unprivileged local user to read root-owned secrets like SSH private keys.
DirtyDecrypt: PoC Released for yet another Linux flaw.
DirtyDecrypt: PoC Released for yet another Linux flaw DirtyDecrypt (CVE-2026-31635): working PoC out for a Linux kernel LPE flaw.
DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability.
"In this code path the kernel handles memory pages that are partly shared with the page cache of other processes – a normal Linux optimisation protected by copy-on-write: as soon as a write to a shared page happens, a private copy is made beforehand so that the write doesn't bleed into another process's data.
DirtyDecrypt impacts only distributions with CONFIG_RXGK enabled, such as Fedora, Arch Linux, and openSUSE Tumbleweed.
In containerized environments, worker nodes running a vulnerable version of Linux could provide a pathway to escape the pod.
Various Linux distributions have released advisories for CVE-2026-46333 - Kernel Killswitch?
The flurry of new disclosures within a span of a few weeks has prompted Linux kernel developers to review a proposal for an emergency "killswitch" that would allow administrators to disable vulnerable kernel functions at runtime until a patch for a zero-day vulnerability becomes available.
"Killswitch lets a privileged operator make a chosen kernel function return a fixed value without executing its body, as a temporary mitigation for a security bug while a real fix is being prepared," according to a proposal submitted by Linux kernel developer and maintainer Sasha Levin.
" Rocky Linux Debuts Security Repository Rocky Linux, for its part, has introduced an optional security repository that allows the distribution to ship urgent security fixes quickly, particularly in scenarios where severe vulnerabilities become public knowledge before coordinated upstream fixes arrive.
"The default Rocky Linux experience stays exactly what it has always been: predictable, stable, and fully upstream-compatible.
Rocky Linux has emphasized that it's not a replacement for the regular release process.
Exploit available for new DirtyDecrypt Linux root escalation flaw.
Successful exploitation requires running a Linux kernel with the CONFIG_RXGK configuration option , which enables RxGK security support for the Andrew File System (AFS) client and network transport.
This limits the attack surface to Linux distributions that closely follow the latest upstream kernel releases, including Fedora, Arch Linux, and openSUSE Tumbleweed.
However, V12's proof-of-concept exploit has only been tested against Fedora and the mainline Linux kernel.
Linux users on distros potentially affected by DirtyDecrypt are advised to install the latest kernel updates as soon as possible.
organisation PoC
Proof-of-concept (PoC) exploit code has now been released for a recently patched security flaw in the Linux kernel that could allow for local privilege escalation (LPE).
DirtyDecrypt: PoC Released for yet another Linux flaw DirtyDecrypt (CVE-2026-31635): working PoC out for a Linux kernel LPE flaw.
organisation LPE
Proof-of-concept (PoC) exploit code has now been released for a recently patched security flaw in the Linux kernel that could allow for local privilege escalation (LPE).
DirtyDecrypt: PoC Released for yet another Linux flaw DirtyDecrypt (CVE-2026-31635): working PoC out for a Linux kernel LPE flaw.
organisation rxgk module
A recently patched local privilege escalation vulnerability in the Linux kernel's rxgk module now has a proof-of-concept exploit that allows attackers to gain root access on some Linux systems.
organisation PackageKit
In April, Linux distros rolled out patches for another root-privilege escalation vulnerability (dubbed Pack2TheRoot) in the PackageKit daemon that had gone unnoticed for almost 12 years.
organisation CVE-2026-31431
The vulnerability, per Zellic, is assessed to be a variant of Copy Fail (CVE-2026-31431), Dirty Frag aka Copy Fail 2 (CVE-2026-43284 and CVE-2026-43500), and Fragnesia (CVE-2026-46300), all of which grant root access on vulnerable systems.
organisation Copy Fail
The vulnerability, per Zellic, is assessed to be a variant of Copy Fail (CVE-2026-31431), Dirty Frag aka Copy Fail 2 (CVE-2026-43284 and CVE-2026-43500), and Fragnesia (CVE-2026-46300), all of which grant root access on vulnerable systems.
However, those who can't immediately patch their devices should use the same mitigation used for Dirty Frag (however, this will also break IPsec VPNs and AFS distributed network file systems): sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true" These disclosures follow recent reports that attackers are now actively exploiting the Copy Fail vulnerability in the wild.
organisation CVE-2026
The vulnerability, per Zellic, is assessed to be a variant of Copy Fail (CVE-2026-31431), Dirty Frag aka Copy Fail 2 (CVE-2026-43284 and CVE-2026-43500), and Fragnesia (CVE-2026-46300), all of which grant root access on vulnerable systems.
organisation CVE-2026-46300
The vulnerability, per Zellic, is assessed to be a variant of Copy Fail (CVE-2026-31431), Dirty Frag aka Copy Fail 2 (CVE-2026-43284 and CVE-2026-43500), and Fragnesia (CVE-2026-46300), all of which grant root access on vulnerable systems.
organisation Fragnesia
The vulnerability, per Zellic, is assessed to be a variant of Copy Fail (CVE-2026-31431), Dirty Frag aka Copy Fail 2 (CVE-2026-43284 and CVE-2026-43500), and Fragnesia (CVE-2026-46300), all of which grant root access on vulnerable systems.
organisation Zellic
The vulnerability, per Zellic, is assessed to be a variant of Copy Fail (CVE-2026-31431), Dirty Frag aka Copy Fail 2 (CVE-2026-43284 and CVE-2026-43500), and Fragnesia (CVE-2026-46300), all of which grant root access on vulnerable systems.
organisation Copy Fail 2
The vulnerability, per Zellic, is assessed to be a variant of Copy Fail (CVE-2026-31431), Dirty Frag aka Copy Fail 2 (CVE-2026-43284 and CVE-2026-43500), and Fragnesia (CVE-2026-46300), all of which grant root access on vulnerable systems.
organisation Dirty Frag
However, those who can't immediately patch their devices should use the same mitigation used for Dirty Frag (however, this will also break IPsec VPNs and AFS distributed network file systems): sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true" These disclosures follow recent reports that attackers are now actively exploiting the Copy Fail vulnerability in the wild.
organisation IPsec
However, those who can't immediately patch their devices should use the same mitigation used for Dirty Frag (however, this will also break IPsec VPNs and AFS distributed network file systems): sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true" These disclosures follow recent reports that attackers are now actively exploiting the Copy Fail vulnerability in the wild.
organisation SSH
The development dovetails with the discovery of an LPE flaw in the Linux PackageKit daemon ( CVE-2026-41651  aka Pack2TheRoot, CVSS score: 8.8) and an improper privilege management flaw in the kernel ( CVE-2026-46333  aka  ssh-keysign-pwn , CVSS score: 5.5), which allows an unprivileged local user to read root-owned secrets like SSH private keys.
organisation CVSS
The development dovetails with the discovery of an LPE flaw in the Linux PackageKit daemon ( CVE-2026-41651  aka Pack2TheRoot, CVSS score: 8.8) and an improper privilege management flaw in the kernel ( CVE-2026-46333  aka  ssh-keysign-pwn , CVSS score: 5.5), which allows an unprivileged local user to read root-owned secrets like SSH private keys.
organisation PoC Released
DirtyDecrypt: PoC Released for yet another Linux flaw.
organisation DirtyDecrypt
DirtyDecrypt: PoC Released for yet another Linux flaw DirtyDecrypt (CVE-2026-31635): working PoC out for a Linux kernel LPE flaw.
DirtyDecrypt impacts only distributions with CONFIG_RXGK enabled, such as Fedora, Arch Linux, and openSUSE Tumbleweed.
Linux users on distros potentially affected by DirtyDecrypt are advised to install the latest kernel updates as soon as possible.
organisation DirtyDecrypt PoC Released
DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability.
organisation CONFIG_RXGK
DirtyDecrypt impacts only distributions with CONFIG_RXGK enabled, such as Fedora, Arch Linux, and openSUSE Tumbleweed.
organisation Rocky Linux Debuts Security Repository
" Rocky Linux Debuts Security Repository Rocky Linux, for its part, has introduced an optional security repository that allows the distribution to ship urgent security fixes quickly, particularly in scenarios where severe vulnerabilities become public knowledge before coordinated upstream fixes arrive.
organisation DirtyDecrypt Linux
Exploit available for new DirtyDecrypt Linux root escalation flaw.
organisation RxGK
Successful exploitation requires running a Linux kernel with the CONFIG_RXGK configuration option , which enables RxGK security support for the Andrew File System (AFS) client and network transport.
organisation the Andrew File System
Successful exploitation requires running a Linux kernel with the CONFIG_RXGK configuration option , which enables RxGK security support for the Andrew File System (AFS) client and network transport.
organisation CVE
Although the CVE identifier was not disclosed, the vulnerability in question is CVE-2026-31635 (CVSS score: 7.5) based on the fact that the NIST National Vulnerability Database (NVD) includes a link to the DirtyDecrypt PoC in its CVE record.
organisation the NIST National Vulnerability Database
Although the CVE identifier was not disclosed, the vulnerability in question is CVE-2026-31635 (CVSS score: 7.5) based on the fact that the NIST National Vulnerability Database (NVD) includes a link to the DirtyDecrypt PoC in its CVE record.
organisation NVD
Although the CVE identifier was not disclosed, the vulnerability in question is CVE-2026-31635 (CVSS score: 7.5) based on the fact that the NIST National Vulnerability Database (NVD) includes a link to the DirtyDecrypt PoC in its CVE record.
organisation the DirtyDecrypt PoC
Although the CVE identifier was not disclosed, the vulnerability in question is CVE-2026-31635 (CVSS score: 7.5) based on the fact that the NIST National Vulnerability Database (NVD) includes a link to the DirtyDecrypt PoC in its CVE record.
organisation COW
Missing COW guard in rxgk_decrypt_skb lets local attackers reach root.
"It's a rxgk pagecache write due to missing COW [copy-on-write] guard in rxgk_decrypt_skb," Zellic co-founder Luna Tong (aka cts and gf_256) said in a description shared on GitHub.
"It's a rxgk pagecache write due to missing COW guard in rxgk_decrypt_skb.
organisation cts
"It's a rxgk pagecache write due to missing COW [copy-on-write] guard in rxgk_decrypt_skb," Zellic co-founder Luna Tong (aka cts and gf_256) said in a description shared on GitHub.
organisation V12
Named DirtyDecrypt and also known as DirtyCBC, this security flaw was also autonomously found and reported by the V12 security team earlier this month, when the maintainers informed them that it was a duplicate that had already been patched in the mainline.
organisation DirtyCBC
Named DirtyDecrypt and also known as DirtyCBC, this security flaw was also autonomously found and reported by the V12 security team earlier this month, when the maintainers informed them that it was a duplicate that had already been patched in the mainline.
organisation CPU
Once engaged, the change is in effect on every CPU until ``disengage`` is written or the system reboots.
Tactical Metrics
Metrics
infrastructure
‎Linux
Affected Product
DirtyDecrypt: PoC Released for yet another Linux flaw.
DirtyDecrypt: PoC Released for yet another Linux flaw DirtyDecrypt (CVE-2026-31635): working PoC out for a Linux kernel LPE flaw.
In this code path the kernel handles memory pages that are partly shared with the page cache of other processes — a normal Linux optimisation protected by copy-on-write: as soon as a write to a shared page happens, a private copy is made beforehand so that the write doesn’t bleed into another process’s data.
DirtyDecrypt does not hit every Linux system.
The vulnerability only impacts distributions that compile the kernel with CONFIG_RXGK enabled, which includes Fedora, Arch Linux, and openSUSE Tumbleweed.
DirtyDecrypt is arriving in an already crowded few weeks for Linux security.
Patches and advisories for CVE-2026-46333 are already available from the major distributions: AlmaLinux , Amazon Linux , CloudLinux , Fedora , Gentoo , Red Hat , SUSE , and Ubuntu .
The message for anyone managing exposed Linux systems is straightforward: check whether CONFIG_RXGK is enabled in your kernel configuration, apply available updates, and do not wait too long, working PoC code is already public, and the gap between publication and active exploitation tends to close faster than patch deployment cycles allow.
Follow me on Twitter:  @securityaffairs  and  Facebook  and  Mastodon Pierluigi Paganini ( SecurityAffairs  – hacking, Linux)
Proof-of-concept (PoC) exploit code has now been released for a recently patched security flaw in the Linux kernel that could allow for local privilege escalation (LPE).
DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability.
"In this code path the kernel handles memory pages that are partly shared with the page cache of other processes – a normal Linux optimisation protected by copy-on-write: as soon as a write to a shared page happens, a private copy is made beforehand so that the write doesn't bleed into another process's data.
DirtyDecrypt impacts only distributions with CONFIG_RXGK enabled, such as Fedora, Arch Linux, and openSUSE Tumbleweed.
In containerized environments, worker nodes running a vulnerable version of Linux could provide a pathway to escape the pod.
The development dovetails with the discovery of an LPE flaw in the Linux PackageKit daemon ( CVE-2026-41651  aka Pack2TheRoot, CVSS score: 8.8) and an improper privilege management flaw in the kernel ( CVE-2026-46333  aka  ssh-keysign-pwn , CVSS score: 5.5), which allows an unprivileged local user to read root-owned secrets like SSH private keys.
Various Linux distributions have released advisories for CVE-2026-46333 - Kernel Killswitch?
The flurry of new disclosures within a span of a few weeks has prompted Linux kernel developers to review a proposal for an emergency "killswitch" that would allow administrators to disable vulnerable kernel functions at runtime until a patch for a zero-day vulnerability becomes available.
"Killswitch lets a privileged operator make a chosen kernel function return a fixed value without executing its body, as a temporary mitigation for a security bug while a real fix is being prepared," according to a proposal submitted by Linux kernel developer and maintainer Sasha Levin.
" Rocky Linux Debuts Security Repository Rocky Linux, for its part, has introduced an optional security repository that allows the distribution to ship urgent security fixes quickly, particularly in scenarios where severe vulnerabilities become public knowledge before coordinated upstream fixes arrive.
"The default Rocky Linux experience stays exactly what it has always been: predictable, stable, and fully upstream-compatible.
Rocky Linux has emphasized that it's not a replacement for the regular release process.
A recently patched local privilege escalation vulnerability in the Linux kernel's rxgk module now has a proof-of-concept exploit that allows attackers to gain root access on some Linux systems.
In April, Linux distros rolled out patches for another root-privilege escalation vulnerability (dubbed Pack2TheRoot) in the PackageKit daemon that had gone unnoticed for almost 12 years.
Exploit available for new DirtyDecrypt Linux root escalation flaw.
Successful exploitation requires running a Linux kernel with the CONFIG_RXGK configuration option , which enables RxGK security support for the Andrew File System (AFS) client and network transport.
This limits the attack surface to Linux distributions that closely follow the latest upstream kernel releases, including Fedora, Arch Linux, and openSUSE Tumbleweed.
However, V12's proof-of-concept exploit has only been tested against Fedora and the mainline Linux kernel.
Linux users on distros potentially affected by DirtyDecrypt are advised to install the latest kernel updates as soon as possible.
The Cybersecurity and Infrastructure Security Agency (CISA) added Copy Fail to its list of flaws exploited in attacks on May 1 and ordered federal agencies to secure their Linux devices within two weeks, by May 15.
Intelligence Sources
BleepingComputer 2026-05-18
The Hacker News 2026-05-19
Security Affairs 2026-05-20