A critical local privilege escalation (LPE) vulnerability in the Linux kernel, tracked as CVE-2024-40898 and dubbed "DirtyDecrypt," has moved from theoretical risk to active exploitation possibility. A proof-of-concept (PoC) exploit is now publicly available, significantly lowering the barrier for attackers.
The flaw resides in the kernel's AF_RXRPC (Remote Procedure Call over Rx) protocol implementation. Because AF_RXRPC is often enabled by default in standard configurations on major distributions (including Debian and Ubuntu), a substantial portion of the Linux enterprise footprint is at risk. Successful exploitation allows an unprivileged user to gain root (UID 0) access, effectively bypassing the entire security model of the host. Defenders must treat this with the same urgency as a remote code execution (RCE) flaw, as initial access brokers often chain LPE vulnerabilities to deploy ransomware or persistence mechanisms.
Technical Analysis
- CVE Identifier: CVE-2024-40898
- CVSS Score: High (7.8) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Affected Component: Linux kernel
AF_RXRPCprotocol implementation (specifically within therxgksecurity context handling). - Affected Platforms: Linux systems kernel versions prior to specific fixes (see Remediation) where
CONFIG_AF_RXRPCis enabled. This includes many default builds of Ubuntu, Debian, and other derivatives. - Attack Mechanism: The vulnerability is a memory corruption flaw. It occurs due to improper handling of decryption keys and reference counting within the
rxgkmodule. By manipulating RxRPC sockets and triggering specific key management operations, an attacker can corrupt kernel memory. - Exploitation Status: A PoC exploit named "DirtyDecrypt" has been released. While widespread in-the-wild exploitation has not yet been observed at scale, the public availability of working exploit code makes immediate remediation critical.
Detection & Response
Detecting this specific kernel exploit is challenging because it occurs entirely in kernel space. However, defenders can hunt for the exploitation artifacts, the resulting privilege escalation, or the presence of the vulnerable kernel state.
SIGMA Rules
The following rules identify potential execution of the PoC and kernel errors associated with exploit crashes.
---
title: Potential DirtyDecrypt Exploit Execution
id: 9d7c3e2a-1f4b-4c9e-8b0a-2d3e4f5a6b7c
status: experimental
description: Detects execution of binaries related to the DirtyDecrypt (CVE-2024-40898) exploit or common PoC naming conventions.
references:
- https://bleepingcomputer.com/news/security/exploit-available-for-new-dirtydecrypt-linux-root-escalation-flaw/
author: Security Arsenal
date: 2025/02/20
tags:
- attack.privilege_escalation
- attack.t1068
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
- '/dirtydecrypt'
- '/cve-2024-40898'
- '/rxrpc_exploit'
CommandLine|contains:
- 'dirtydecrypt'
- 'CVE-2024-40898'
condition: selection
falsepositives:
- Legitimate security research or authorized red team exercises
level: critical
---
title: Linux Kernel Oops Related to AF_RXRPC
id: 1a2b3c4d-5e6f-7g8h-9i0j-1k2l3m4n5o6p
status: experimental
description: Detects kernel panic or general protection faults in the AF_RXRPC module, which may indicate a failed or unstable DirtyDecrypt exploit attempt.
references:
- https://bleepingcomputer.com/news/security/exploit-available-for-new-dirtydecrypt-linux-root-escalation-flaw/
author: Security Arsenal
date: 2025/02/20
tags:
- attack.privilege_escalation
- attack.t1068
logsource:
product: linux
service: syslog
detection:
selection:
process_name: 'kernel'
message|contains:
- 'general protection fault'
- 'rxrpc'
- 'kernel BUG at net/rxrpc'
condition: selection
falsepositives:
- Legitimate kernel bugs in drivers
- Hardware failures
level: high
KQL (Microsoft Sentinel)
This hunt queries Syslog for evidence of the PoC execution or kernel instability related to the RxRPC module.
// Hunt for DirtyDecrypt exploit execution or Kernel Panics in AF_RXRPC
Syslog
| where ProcessName == "kernel" or SyslogMessage has "dirtydecrypt"
| extend KernelMessage = iff(ProcessName == "kernel", SyslogMessage, "")
| where SyslogMessage has "dirtydecrypt"
or (KernelMessage has "general protection fault" and KernelMessage has "rxrpc")
or KernelMessage has "kernel BUG at net/rxrpc"
| project TimeGenerated, Computer, ProcessName, SyslogMessage, KernelMessage
| sort by TimeGenerated desc
Velociraptor VQL
Use this artifact to identify if the vulnerable module is loaded and check for the presence of common exploit file names.
-- Hunt for DirtyDecrypt Indicators
SELECT
OSInfo.Version AS KernelVersion,
OSInfo.Build AS KernelRelease,
OSInfo.Hostname AS Hostname
FROM info()
-- Check if AF_RXRPC module is loaded (Vulnerable Component)
SELECT
Name AS ModuleName,
Size AS ModuleSize
FROM lsmod()
WHERE Name = 'rxrpc'
-- Check for common exploit file names
SELECT
FullPath,
Size,
ModTime
FROM glob(globs='/*dirtydecrypt*', root='/')
Remediation Script (Bash)
This script performs a triage check to determine if the system is vulnerable and suggests immediate mitigation via module blacklisting if patching is delayed.
#!/bin/bash
# DirtyDecrypt (CVE-2024-40898) Triage and Mitigation Script
# Run with sudo or as root
echo "[*] Checking Linux Kernel Version..."
KERNEL_VER=$(uname -r | cut -d- -f1)
echo " Current Kernel: $KERNEL_VER"
# Function to compare versions (simplified for check)
check_vulnerable() {
# List of fixed versions (simplified representation)
# 6.10.4, 6.6.30, 6.1.91, 5.15.152, 5.10.216 are patched.
# If running older than these, assume vulnerable.
echo "[!] WARNING: Please manually verify if $KERNEL_VER is older than the patched versions for your distro."
echo " Patched versions include: 6.10.4, 6.6.30, 6.1.91, 5.15.152, 5.10.216"
}
check_vulnerable
echo "[*] Checking if AF_RXRPC module is loaded..."
if lsmod | grep -q "^rxrpc "; then
echo "[!] CRITICAL: The rxrpc module is LOADED. System is vulnerable if kernel is unpatched."
read -p "Do you want to disable rxrpc immediately? (y/n): " -n 1 -r
echo
if [[ $REPLY =~ ^[Yy]$ ]]; then
echo "[*] Unloading rxrpc module..."
modprobe -r rxrpc
if [ $? -eq 0 ]; then
echo "[+] Module unloaded successfully. To make persistent, add 'install rxrpc /bin/true' to /etc/modprobe.d/disable-rxrpc.conf"
else
echo "[-] Failed to unload module. It may be in use."
fi
fi
else
echo "[+] rxrpc module is NOT loaded. You are not immediately vulnerable via this vector."
fi
echo "[*] Remediation Steps:"
echo " 1. Update kernel to latest version immediately."
echo " 2. Reboot the host."
echo " 3. Verify update with 'uname -r'."
Remediation
Immediate patching is the only reliable remediation for this vulnerability. Workarounds are available but may impact functionality if AF_RXRPC is required by applications (e.g., specific clustered file systems like AFS or NFS in certain configurations).
1. Apply Security Patches
Update your Linux kernel to one of the following fixed versions or later:
- 6.10.4
- 6.6.30
- 6.1.91
- 5.15.152
- 5.10.216
Refer to your distribution's security advisory for the specific package update:
- Ubuntu / Debian:
sudo apt update && sudo apt install linux-image-generic - RHEL / CentOS / Rocky:
sudo yum update kernel
2. Reboot A kernel update requires a system reboot to load the patched code.
3. Mitigation (If Patching is Delayed)
If you cannot patch immediately, blacklist the rxrpc kernel module to prevent the attack surface.
Create or edit the file /etc/modprobe.d/disable-rxrpc.conf:
install rxrpc /bin/true
Then run:
sudo modprobe -r rxrpc
**References:**
* [BleepingComputer Report](https://www.bleepingcomputer.com/news/security/exploit-available-for-new-dirtydecrypt-linux-root-escalation-flaw/)
* [NVD - CVE-2024-40898](https://nvd.nist.gov/vuln/detail/CVE-2024-40898)
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.