# NOTICE — dirtydecrypt ## Vulnerability **CVE-2026-31635** — "DirtyDecrypt" / "DirtyCBC". Missing copy-on-write guard in `rxgk_decrypt_skb()` (`net/rxrpc/rxgk_common.h`). The function calls `skb_to_sgvec()` then `crypto_krb5_decrypt()` with no `skb_cow_data()`; the `krb5enc` AEAD template (`crypto/krb5enc.c`) decrypts **in place** before verifying the HMAC. When the skb fragment pages are page-cache pages (spliced in via `MSG_SPLICE_PAGES` over loopback), the in-place decrypt corrupts the page cache of a read-only file. The same pattern exists in rxkad (`rxkad_verify_packet_2`). Sibling of Copy Fail (CVE-2026-31431) and Dirty Frag (CVE-2026-43284 / CVE-2026-43500) — all are page-cache write primitives that abuse a missing COW boundary. ## Research credit Discovered and reported by **Zellic** and the **V12 security** team. Public proof-of-concept by **Luna Tong** ("cts" / "gf_256") of the V12 security team. > Reference PoC: The upstream PoC file (`poc.c`) carries no author, project, or `LICENSE` header of its own — its header is a purely technical description of the bug. The credit above is from the public disclosure, not from the file. CVE-2026-31635 was assigned for the flaw; its fix commit is not pinned in this module (see below). ## SKELETONKEY role `skeletonkey_modules.c` is a port of the V12 PoC into the `skeletonkey_module` interface. The exploit primitive — the `fire()` / `pagecache_write()` sliding-window machinery, the rxgk XDR token builder, the 120-byte ET_DYN ELF payload — is reproduced from that PoC. SKELETONKEY adds the detect/cleanup lifecycle, an `--active` sentinel probe, `--no-shell` support, and the embedded detection rules. Research credit belongs to the people above. ## Verification status **Ported, not yet validated end-to-end on a vulnerable-kernel VM.** The CVE-2026-31635 fix commit is not yet pinned in this module, so `detect()` does not perform a kernel-version patched/vulnerable verdict — see `MODULE.md`.