Introduction
On May 9, 2026, security researchers from Zellic and V12 disclosed a critical Local Privilege Escalation (LPE) vulnerability in the Linux kernel, now publicly tracked as CVE-2026-31635. The vulnerability, dubbed DirtyDecrypt (also known as DirtyCBC), allows unprivileged local users to gain root-level access on affected systems. The maintainers initially classified this report as a duplicate of an existing flaw, but that detail is now largely irrelevant to defenders: proof-of-concept (PoC) exploit code has been released, and functional exploitation is confirmed possible.
This is not a theoretical risk. With PoC code publicly available, threat actors can weaponize this vulnerability within hours. For organizations running vulnerable Linux kernel versions, this represents an immediate pathway from an initial foothold (such as a web shell or compromised user account) to full system compromise. Given the prevalence of Linux in enterprise environments, cloud infrastructure, and critical systems, prioritized remediation is mandatory.
Technical Analysis
Affected Products and Versions
- Platform: Linux Kernel
- Vulnerable Component: Kernel cryptographic subsystem (CBC mode implementation)
- CVE Identifier: CVE-2026-31635
- CVSS Score: 7.8 (High) — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vulnerability Mechanics
DirtyDecrypt exploits a race condition in the Linux kernel's handling of Cipher Block Chaining (CBC) mode decryption operations. From a defender's perspective, the attack chain operates as follows:
-
Initial Access Required: The attacker must already have local access (non-privileged user) or code execution capability on the target system. This vulnerability does not enable remote compromise directly.
-
Race Condition Trigger: The PoC code manipulates the kernel's CBC decryption process, creating a timing window where memory bounds checking can be bypassed during cryptographic operations.
-
Memory Corruption: By carefully crafting input during the race window, the attacker can corrupt kernel memory structures, potentially overwriting function pointers or security credentials.
-
Privilege Escalation: The corrupted memory is leveraged to execute code in kernel context, typically by hijacking control flow and spawning a root shell or modifying process credentials.
Exploitation Status
- PoC Availability: PUBLIC — Functional exploit code has been released
- Active Exploitation: NOT YET CONFIRMED IN THE WILD (but expected imminently given PoC availability)
- CISA KEV: Not yet added, but likely given severity and PoC status
Detection & Response
The following detection mechanisms are designed to identify exploitation attempts and successful privilege escalation associated with CVE-2026-31635. Note that detecting the exploit itself is challenging due to its kernel-space nature, so we focus on detecting the aftermath and associated suspicious behaviors.
SIGMA Rules
---
title: Potential Linux Kernel LPE via DirtyDecrypt - Sudden Root Shell from Unprivileged User
id: d1e4a5f2-8c3b-4d2e-9a1b-5c6d7e8f90a1
status: experimental
description: Detects suspicious bash or sh shells spawning with root (uid 0) immediately after execution from a non-privileged user, which may indicate successful kernel LPE exploitation.
references:
- https://nvd.nist.gov/vuln/detail/CVE-2026-31635
author: Security Arsenal
date: 2026/05/12
tags:
- attack.privilege_escalation
- attack.t1068
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
- '/bin/bash'
- '/bin/sh'
- '/bin/zsh'
NewProcessUid: 0
filter_legitimate:
ParentImage|endswith:
- '/usr/sbin/sshd'
- '/usr/bin/sudo'
- '/usr/bin/su'
- '/usr/lib/systemd/systemd'
condition: selection and not filter_legitimate
falsepositives:
- Legitimate use of sudo/su from administrators
- Scheduled cron jobs running as root
level: high
---
title: DirtyDecrypt - Suspicious Execution from Temporary Directories
id: e2f5b6g3-9d4c-5e3f-0b2c-6d7e8f9a0b1c
status: experimental
description: Detects execution of binaries or scripts from common temporary directories (/tmp, /var/tmp, /dev/shm) which are frequently used for staging LPE exploit payloads.
references:
- https://nvd.nist.gov/vuln/detail/CVE-2026-31635
author: Security Arsenal
date: 2026/05/12
tags:
- attack.execution
- attack.t1059.004
logsource:
category: process_creation
product: linux
detection:
selection:
Image|startswith:
- '/tmp/'
- '/var/tmp/'
- '/dev/shm/'
filter_known_good:
Image|contains:
- 'vendor'
- 'package'
condition: selection and not filter_known_good
falsepositives:
- Software installations from temp directories
- Developer build processes
level: medium
---
title: DirtyDecrypt - Linux Kernel Version Check for Vulnerable Builds
id: f3g6c7h4-0e5d-6f4g-1c3d-7e8f9a0b1c2d
status: experimental
description: Identify systems running vulnerable Linux kernel versions prior to patches for CVE-2026-31635. Use with asset inventory data.
references:
- https://nvd.nist.gov/vuln/detail/CVE-2026-31635
author: Security Arsenal
date: 2026/05/12
tags:
- attack.privilege_escalation
- attack.t1068
logsource:
category: system
product: linux
detection:
selection:
kernel_version|startswith:
- '5.15'
- '6.1'
- '6.5'
filter_patched:
kernel_version|contains:
- '.1' # Apply appropriate patch level checks per vendor
condition: selection and not filter_patched
falsepositives:
- Systems with backported security patches not reflected in version number
level: informational
KQL (Microsoft Sentinel / Defender)
// Hunt for suspicious privilege escalation patterns potentially indicating CVE-2026-31635 exploitation
// Adjust table names based on your Syslog/CEF ingestion schema
Syslog
| where ProcessName in ("bash", "sh", "zsh", "dash")
| extend ProcessUser = tostring(ProcessInformation)
| where SyslogMessage has "uid=0(" or SyslogMessage contains "root"
| project TimeGenerated, Computer, ProcessName, ProcessUser, SyslogMessage
| where not(ProcessUser has @"sshd" or ProcessUser has @"sudo" or ProcessUser has @"systemd")
| order by TimeGenerated desc
| extend HuntingContext = "Potential kernel LPE via DirtyDecrypt - Non-privileged user spawning root shell"
// Alternative hunt for suspicious execution from temp directories
Syslog
| where SyslogMessage has @"/tmp/" or SyslogMessage has @"/var/tmp/" or SyslogMessage has @"/dev/shm/"
| where SyslogMessage has "execve"
| project TimeGenerated, Computer, SyslogMessage
| where not(SyslogMessage has @"vendor" or SyslogMessage has @"package")
| order by TimeGenerated desc
| extend HuntingContext = "Potential exploit staging - Execution from temporary directory"
Velociraptor VQL
-- Hunt for evidence of DirtyDecrypt exploitation or suspicious privilege escalation
-- Look for root shells spawned from non-parent processes
SELECT Pid, Ppid, Name, Username, Exe, CommandLine, Ctime
FROM pslist()
WHERE Username = 'root'
AND Name IN ('bash', 'sh', 'zsh', 'dash')
AND Ppid NOT IN (
SELECT Pid FROM pslist()
WHERE Name IN ('sshd', 'sudo', 'su', 'systemd', 'cron')
)
-- Scan for suspicious files in temporary directories that may be exploit artifacts
SELECT FullPath, Size, Mtime, Atime, Mode, Username
FROM glob(globs="/**/tmp/*", root="/")
WHERE Mode =~ '^.*x.*$'
AND Size < 1048576
AND NOT Name =~ '^\.'
LIMIT 100
-- Check for vulnerable kernel version
SELECT OS, KernelVersion, Release, Architecture
FROM info()
WHERE KernelVersion =~ '^(5\.15|6\.1|6\.5)'
AND NOT KernelVersion =~ '\.1.*' -- Adjust based on vendor patch info
Remediation Script (Bash)
#!/bin/bash
# CVE-2026-31635 (DirtyDecrypt) - Linux Kernel LPE Remediation Script
# This script checks for vulnerable kernel versions and provides remediation guidance
echo "=== CVE-2026-31635 (DirtyDecrypt) Remediation Check ==="
echo "Run date: $(date)"
echo ""
# Check current kernel version
CURRENT_KERNEL=$(uname -r)
echo "Current kernel version: $CURRENT_KERNEL"
# Determine distribution
echo ""
echo "Detecting Linux distribution..."
if [ -f /etc/os-release ]; then
. /etc/os-release
DISTRO=$ID
echo "Distribution: $PRETTY_NAME"
else
echo "WARNING: Cannot determine distribution. Manual verification required."
exit 1
fi
# Check for known vulnerable kernel patterns (adjust based on vendor advisories)
echo ""
echo "Checking for vulnerable kernel versions..."
VULNERABLE=false
# Red Hat / CentOS / RHEL patterns
if [[ "$DISTRO" =~ ^(rhel|centos|rocky|almalinux) ]]; then
if [[ "$CURRENT_KERNEL" =~ ^3\.10\.0- ]] || [[ "$CURRENT_KERNEL" =~ ^4\.18\.0- ]] || [[ "$CURRENT_KERNEL" =~ ^5\.14\.0- ]]; then
VULNERABLE=true
echo "WARNING: Potentially vulnerable RHEL-based kernel detected."
echo "Refer to RHSA-2026:XXXXX for patch details."
fi
# Debian / Ubuntu patterns
elif [[ "$DISTRO" =~ ^(debian|ubuntu) ]]; then
if [[ "$CURRENT_KERNEL" =~ ^5\.15\.0- ]] || [[ "$CURRENT_KERNEL" =~ ^6\.1\.0- ]] || [[ "$CURRENT_KERNEL" =~ ^6\.5\.0- ]]; then
VULNERABLE=true
echo "WARNING: Potentially vulnerable Debian/Ubuntu kernel detected."
echo "Refer to DSA-XXXX-X or USN-XXXX-X for patch details."
fi
# Generic check for other distributions
else
if [[ "$CURRENT_KERNEL" =~ ^(5\.15|6\.1|6\.5) ]]; then
VULNERABLE=true
echo "WARNING: Potentially vulnerable kernel version detected."
echo "Verify against your distribution's security advisories."
fi
fi
if [ "$VULNERABLE" = false ]; then
echo "No known vulnerable pattern detected, but verify with vendor advisories."
fi
echo ""
echo "=== Remediation Steps ==="
echo "1. Update to the latest patched kernel for your distribution"
echo " - RHEL/CentOS: yum update kernel"
echo " - Debian/Ubuntu: apt-get update && apt-get install linux-image-generic"
echo " - SUSE: zypper update kernel-default"
echo ""
echo "2. Reboot the system to load the new kernel: reboot"
echo ""
echo "3. Verify the update post-reboot by running this script again"
echo ""
echo "4. If immediate reboot is not possible, restrict local user access"
echo " as a temporary mitigation while scheduling maintenance."
echo ""
echo "For official advisories:"
echo "- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31635"
echo "- Your distribution's security announcement page"
Remediation
Immediate Actions Required
-
Patch Management Priority: Update all Linux systems to kernel versions that include patches for CVE-2026-31635. Refer to your distribution's specific security advisory for exact version numbers:
- Red Hat Enterprise Linux: Apply RHSA-2026:XXXXX
- Ubuntu: Apply USN-XXXX-X for affected Ubuntu releases
- Debian: Apply DSA-XXXX-X
- SUSE Linux Enterprise: Apply patches released in May 2026 kernel updates
- Other Distributions: Consult vendor security advisories released after May 9, 2026
-
System Reboot Mandatory: Kernel patches require a system reboot to take effect. Schedule reboots during approved maintenance windows.
-
Temporary Mitigation (if patching is delayed):
- Restrict local user access to critical systems
- Implement strict sudo policies and audit all privilege escalation use
- Monitor for suspicious process execution using provided detection rules
- Consider implementing SELinux/AppArmor in enforcing mode to limit kernel exploit impact
Vendor Advisory Resources
- Linux Kernel Mailing List: https://lore.kernel.org/linux-kernel/
- NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2026-31635
- Distribution Security Pages:
- Red Hat: https://access.redhat.com/security/
- Ubuntu: https://ubuntu.com/security/notices
- Debian: https://www.debian.org/security/
CISA Deadlines
At the time of writing, CVE-2026-31635 has not yet been added to the CISA Known Exploited Vulnerabilities (KEV) catalog. However, given the public PoC availability and high CVSS score, federal agencies should treat this with urgency consistent with KEV requirements (typically 15-21 days for remediation).
Verification Post-Patch
After applying kernel updates:
- Verify the new kernel version:
uname -r - Confirm the patch includes CVE-2026-31635 fixes via vendor changelog
- Run the remediation script provided above to confirm vulnerable patterns are no longer present
- Re-enable any temporarily disabled local user access once verified patched
For organizations requiring assistance with vulnerability scanning, patch validation, or detection implementation, Security Arsenal's vulnerability management services can provide comprehensive support. Our team can help verify your exposure to DirtyDecrypt and deploy enterprise-wide monitoring for exploitation attempts.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.