0xFuffM3/CVE-2026-31635-DirtyDecrypt

GitHub: 0xFuffM3/CVE-2026-31635-DirtyDecrypt

Stars: 2 | Forks: 0

# CVE-2026-31635 · DirtyDecrypt [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE) [![Kernel](https://img.shields.io/badge/kernel-6.10--6.13-critical)](https://www.kernel.org) [![Type](https://img.shields.io/badge/type-LPE-blue.svg)](https://en.wikipedia.org/wiki/Privilege_escalation) [![Status](https://img.shields.io/badge/status-patched-brightgreen.svg)] ## Contents - [Overview](#overview) - [Quick Start](#quick-start) - [Verify Your System](#verify-your-system) - [Exploit Summary](#exploit-summary) - [Affected Systems](#affected-systems) - [How to Use This Repository](#how-to-use-this-repository) - [Mitigation](#mitigation) - [FAQ](#faq) - [Repository Layout](#repository-layout) - [References](#references) ## Overview This repository contains the research materials and proof-of-concept for **CVE-2026-31635**, a local privilege escalation in Linux kernel `net/rxrpc/rxgk.c`. The vulnerability occurs when RxRPC decrypts packets in-place using AES-CBC without first ensuring the packet data is private. If the packet is built from page cache pages, the kernel may decrypt directly into shared file-backed memory. | Property | Detail | |---|---| | **CVE** | CVE-2026-31635 | | **Component** | `net/rxrpc/rxgk.c` — `rxgk_decrypt_skb()` | | **Root cause** | Missing `skb_cow_data()` check before decryption | | **Impact** | Local privilege escalation to root | | **Affected kernels** | 6.10 – 6.13 | | **Fixed in** | 6.13.2 · 6.12.10 · 6.6.75 | ## Quick Start Choose the path that matches your goal: 1. **Verify vulnerability** - Check kernel version and `CONFIG_RXGK` - Use `./dirtydecrypt --check` 2. **Build the exploit** - `cd exploit` - `make` 3. **Read the technical research** - Start with `docs/vulnerability-analysis.md` - Review `docs/patch-analysis.md` and `docs/exploit-development.md` ## Verify Your System Run the following checks to determine whether your environment is in scope: uname -r zgrep CONFIG_RXGK /proc/config.gz 2>/dev/null || grep CONFIG_RXGK /boot/config-$(uname -r) If the kernel is in the `6.10–6.13` range and `CONFIG_RXGK` is enabled, the system may be vulnerable. Then use the exploit PoC verification mode: cd exploit ./dirtydecrypt --check ## Exploit Summary The exploit uses a malformed RxRPC packet to force the kernel into decrypting into a shared page cache page. Steps: 1. Select a readable target page from a setuid binary or another sensitive file. 2. Create an RxRPC decryption context with a controlled AES key. 3. Build a dual-fragment SKB where the first fragment maps to the target page and the second fragment contains ciphertext. 4. Call `rxgk_decrypt_skb()` in the kernel. 5. The kernel writes plaintext into the target page cache entry instead of a private buffer. 6. Execute the patched binary to gain root. The exploit is demonstrated in `exploit/dirtydecrypt.c`. ## Affected Systems ### Known vulnerable ranges - Linux kernel `6.10` through `6.13` - `CONFIG_RXGK=m` or `CONFIG_RXGK=y` ### Distribution guidance - **Fedora 40, 41** — vulnerable on stock kernels until patched - **Ubuntu 24.10** — vulnerable on the default 6.11 kernel - **Debian unstable (Sid)** — vulnerable on kernels 6.12+ until updated - **Arch Linux** — vulnerable until 6.13.2 - **SUSE Linux Enterprise 15 SP7** — vulnerable on older 6.10 builds until patch ### Not vulnerable - **RHEL 9** — older kernel without `rxgk` - **AWS Linux 2** — older kernel series - **Android** — not affected on typical Android branches - **GCE Container-Optimized OS** — `CONFIG_RXGK` disabled by default ## How to Use This Repository ### Build the exploit git clone https://github.com/0xFuffM3/CVE-2026-31635-DirtyDecrypt.git cd exploit make For a fully static binary: make static ### Run the exploit safely ./dirtydecrypt --check Example usage: ./dirtydecrypt -f /usr/bin/sudo -o /tmp/sudo_patched ./dirtydecrypt -p shellcode/payload.bin ### Recommended reading order 1. `docs/vulnerability-analysis.md` 2. `docs/exploit-development.md` 3. `docs/patch-analysis.md` 4. `docs/affected-kernels.md` ## Mitigation ### Immediate Disable RxRPC if it is not required: sudo rmmod rxrpc sudo modprobe -r rxgk echo "blacklist rxrpc" | sudo tee /etc/modprobe.d/blacklist-rxrpc.conf ### Permanent Upgrade to a patched kernel release: - `6.13.2` - `6.12.10` - `6.6.75` ### Detection Audit relevant socket creation and key operations: sudo auditctl -a always,exit -F arch=b64 -S socket -F a0=28 -k rxrpc_sock ## FAQ **Q: Can this exploit modify files on disk?** A: No. The vulnerability corrupts page cache contents only; the backing file on disk remains unchanged unless the page is later flushed. **Q: Is this vulnerability present on kernels newer than 6.13?** A: No, the patch was backported and the vulnerable code path is fixed in kernels after 6.13.2. **Q: What is the safest way to test this?** A: Use an isolated VM with a stock vulnerable kernel and a disposable user account. **Q: Where can I find the exploit source?** A: See `exploit/dirtydecrypt.c` and `exploit/README.md`. ## Repository Layout CVE-2026-31635-DirtyDecrypt/ ├── README.md ├── LICENSE ├── DISCLAIMER.md ├── CHANGELOG.md ├── exploit/ │ ├── README.md │ ├── dirtydecrypt.c │ ├── Makefile │ └── shellcode/ │ └── payload.asm └── docs/ ├── vulnerability-analysis.md ├── exploit-development.md ├── affected-kernels.md ├── patch-analysis.md └── references.md ## References - [Linux kernel patch — commit `a2567217`](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a2567217) - [NVD — CVE-2026-31635](https://nvd.nist.gov/vuln/detail/CVE-2026-31635) - [`docs/references.md`](docs/references.md) ## License MIT — see [LICENSE](LICENSE). This repository is intended for educational and authorized security research use only.

标签：客户端加密