Linux’s Dirty Family Grows Again — Plus a Worm-Grade npm Supply Chain Explosion

A new local privilege escalation vulnerability has been discovered in the Linux kernel’s RxGK subsystem. Codenamed DirtyDecrypt (also known as DirtyCBC), it was independently discovered by the Zellic and V12 security teams and reported on May 9, 2026 — only to be informed by kernel maintainers that it was actually a duplicate of a vulnerability already patched upstream on April 25, 2026.

The flaw resides in the rxgk_decrypt_skb() function, the routine that decrypts incoming socket buffers on the receive side of the RxGK (GSS-API security layer for RxRPC, used by the Andrew File System client). The critical issue is a missing Copy-on-Write (COW) guard: decryption writes hit the shared page cache directly without first creating a private copy. An unprivileged local attacker can exploit this page-cache write primitive to modify privileged files such as /etc/shadow, /etc/sudoers, or a SUID binary, ultimately obtaining root access — with no race condition required.

DirtyDecrypt is the fifth variant in a rapidly expanding vulnerability family that has materialized entirely within three weeks: Copy Fail (CVE-2026-31431), Dirty Frag (CVE-2026-43284 / CVE-2026-43500), Fragnesia (CVE-2026-46300), and now DirtyDecrypt. All originate from the XFRM/ESP/RxGK attack surface, signaling a systemic failure in the kernel cryptographic subsystem’s COW protection mechanisms.

Impact is scoped to distributions that ship kernels with CONFIG_RXGK enabled — primarily Fedora, Arch Linux, and openSUSE Tumbleweed. Debian Stable, RHEL, and Ubuntu LTS are unaffected by default. However, in containerized environments, any Kubernetes worker node running a vulnerable rolling-release kernel can be leveraged for container escape and full host compromise, threatening entire clusters. A working public PoC has been released by V12 Security.

On May 19, 2026 — the same day as several other disclosures — the V12 security team released a second Linux kernel local privilege escalation, this one codenamed PinTheft. It chains a reference-count bug in the RDS (Reliable Datagram Sockets) zero-copy send path with the io_uring asynchronous I/O interface to overwrite a SUID-root binary’s page cache and execute arbitrary code as root.

The underlying bug resides in rds_message_zcopy_from_user(), which pins user pages one at a time. When a subsequent page faults during the operation, the error path releases the already-pinned pages — but so does the cleanup path during RDS message teardown, because the scatterlist entries and entry count remain live after the zero-copy notifier is cleared. This double-unpin allows an attacker to steal one reference per failed zero-copy send.

The exploit chain uses io_uring fixed buffers: anonymous pages are registered as fixed buffers, biasing their reference count by 1,024. After 1,024 deliberately failed sends, the reference count reaches zero, the kernel reclaims the page, and io_uring retains a dangling pointer — now pointing to a page reused by a SUID binary’s page cache. By writing a malicious ELF payload through the dangling pointer and triggering the SUID binary, a root shell is obtained. The bug has existed in the kernel since version 4.17 (2018), though a working exploit requires modern io_uring features.

The RDS module is only enabled by default on Arch Linux, though Fedora can load it automatically. Ubuntu and Debian blacklist RDS. A patch was posted to the netdev mailing list on May 5, 2026, and CVE-2026-43494 has been assigned.

Between 01:39 and 02:06 UTC on May 19, 2026, the threat group TeamPCP — operating under the ongoing Mini Shai-Hulud campaign — hijacked the npm maintainer account atool and released 637 malicious package versions across 317 packages in a fully automated burst. The attack targeted the core AntV data visualization ecosystem (@antv/g2, @antv/g6, @antv/x6, @antv/l7, @antv/s2, @antv/f2, and many more), as well as high-frequency standalone packages including echarts-for-react (3.8 million monthly downloads), size-sensor (4.2 million downloads), and timeago.js (1.5 million weekly downloads).

Each compromised version embeds a 498KB obfuscated Bun bundle — a structural and functional match for the Mini Shai-Hulud toolkit used in a SAP ecosystem compromise three weeks earlier. The payload employs two execution paths: a preinstall hook that runs immediately on npm install, and — for 630 of the 637 malicious versions — an optionalDependencies entry pointing to imposter commits injected into the legitimate antvis/G2 GitHub repository. This second path exploited GitHub’s object storage to host the malicious payload without requiring write access to the repository itself.

Once triggered, the malware harvests over 130 credential types including AWS environment variables, EC2 instance metadata, ECS container metadata, Kubernetes service account tokens, HashiCorp Vault tokens, GitHub Personal Access Tokens, npm tokens, SSH keys, and local password manager vaults (1Password, Bitwarden, pass). Data is exfiltrated via dual channels: Git objects committed to public GitHub repositories created under the victim’s stolen token (repositories marked with the reversed Dune phrase “niagA oG eW ereH :duluH-iahS”), and a secondary encrypted channel.

Three particularly dangerous persistence mechanisms were identified. The malware injects a SessionStart hook into Claude Code’s settings (.claude/settings.json), writes to VS Code’s tasks.json to trigger on folder open, and installs a Linux/macOS daemon for remote control. Perhaps most alarming is the embedded dead man’s switch: the stolen npm token carries the tag “IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner” — revoking the token triggers deletion of the user’s home directory. In response, GitHub has announced security improvements including phased releases and MFA approval requirements for publishing.

Google Project Zero researcher Seth Jenkins published a complete zero-click exploit chain for the Pixel 10, building on earlier Pixel 9 research. The chain requires no user interaction: when a target device receives a crafted Dolby Digital Plus (DD+) audio stream via a voice message or audio attachment, Android’s background media pipeline processes it automatically, triggering remote code execution inside the mediacodec sandbox.

The entry point is CVE-2025-54957 (CVSS 6.7), an out-of-bounds write in the Dolby Unified Decoder (UDC) caused by an integer overflow during parsing of “evolution” data in DD+ audio streams. This vulnerability was previously demonstrated against Pixel 9; adapting it to Pixel 10 required primarily recalculating memory offsets for the updated library build. The main obstacle was the Pixel 10’s adoption of Return Address Pointer Authentication (RET PAC) in place of classic stack protection, which eliminated the __stack_chk_fail overwrite primitive. Jenkins and colleague Jann Horn worked around this by targeting dap_cpdp_init — an initialization function called only once that can be safely overwritten without disrupting normal decoding.

With code execution inside the media sandbox, the team then needed local privilege escalation. The Pixel 10’s Tensor G5 chip introduced a new VPU driver (/dev/vpu) for the Chips&Media Wave677DV block — maintained by the same team responsible for the BigWave driver exploited on Pixel 9. In just two hours of review, a critical flaw was found: the VPU mmap handler calls remap_pfn_range using the user-supplied virtual memory area size without bounding it to the actual MMIO register region. This allows any low-privileged caller to map arbitrarily large regions of physical memory — including the entire kernel image. Since the Pixel kernel resides at a fixed, predictable physical address, arbitrary kernel read/write access requires just five lines of code.

Jenkins reported the VPU bug on November 24, 2025. Google patched it 71 days later in the February 2026 Pixel security bulletin — notably the first time an Android driver bug reported by Jenkins was fixed within 90 days. Both CVE-2025-54957 (patched January 2026 across all Android) and CVE-2026-0106 (patched February 2026 for Pixel) are now addressed. The exploit only affects devices with a Security Patch Level (SPL) prior to December 2025.