DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability

A proof-of-concept exploit for CVE-2026-31635, a local privilege escalation vulnerability in the Linux kernel, has entered the wild. Security researchers from Zellic and V12 disclosed the flaw, termed DirtyDecrypt or DirtyCBC, on May 9, 2026.

The vulnerability enables attackers with local system access to escalate privileges and execute arbitrary code with kernel-level permissions. The Linux kernel maintainers confirmed the issue but determined it was a duplicate of a previously known vulnerability, delaying initial remediation efforts.

The release of working exploit code significantly accelerates the threat timeline. System administrators who have not yet applied kernel patches face elevated risk. Attackers exploiting DirtyDecrypt require local access first, meaning the threat primarily affects multi-user systems, shared hosting environments, and servers accessible to untrusted users.

Organisations should treat this as a critical patching priority. The vulnerability affects multiple Linux kernel versions, and affected systems must be updated immediately. Administrators should verify their current kernel version and apply the latest patches from their distribution maintainers.

Threat actors typically weaponise local privilege escalation vulnerabilities within days of PoC release. Container deployments with insufficient isolation, development systems, and testing environments all become attractive targets. Once privilege escalation succeeds, attackers gain the ability to install persistent backdoors, steal sensitive data, or pivot to other systems on the network.

The duplicate status of CVE-2026-31635 raises questions about vulnerability tracking processes. Security teams should review their patching timelines for any previously flagged but unresolved issues related to this flaw.

Immediate actions include deploying kernel patches across all Linux systems, prioritising those running multi-user workloads or exposed services. Organisations without kernel update capability should implement additional access controls and monitor system logs for exploitation attempts. The