Security researchers disclosed Fragnesia, a new Linux kernel local privilege escalation vulnerability tracked as CVE-2026-46300 with CVSS score of 7.8. William Bowling of Zellic discovered the flaw with V12 Security team targeting Linux kernel’s XFRM ESP-in-TCP subsystem. The vulnerability allows unprivileged local attackers to modify read-only file contents in kernel page cache achieving root privileges.
Fragnesia emerged as unintended side effect of patches addressing original Dirty Frag vulnerabilities according to Dirty Frag discoverer Hyunwoo Kim. The security flaw represents third Linux local privilege escalation bug identified within span of two weeks following Copy Fail and Dirty Frag disclosures. V12 Security released proof-of-concept exploit demonstrating attack overwrites /usr/bin/su binary through page cache yielding root access.
Advisories have been released by multiple Linux distributions:
- AlmaLinux
- Amazon Linux
- CloudLinux
- Debian
- Gentoo
- Red Hat Enterprise Linux
- SUSE
- Ubuntu
Google-owned Wiz stated the vulnerability exploits logic bug in Linux XFRM ESP-in-TCP implementation involving improper handling of shared page fragments during skb coalescing. The exploit abuses scenario where the kernel splices file-backed pages into TCP receive queue before socket transitions into espintcp ULP mode. Microsoft stated no evidence shows in-the-wild exploitation but urged users and organizations to apply patch immediately.
CloudLinux maintainers stated customers who already applied Dirty Frag mitigation need no further action until the team releases patched kernels. Red Hat is performing assessment to confirm if existing mitigations extend to CVE-2026-46300 according to company statements. A patch is available on netdev awaiting review though not yet in mainline kernel releases.
Fragnesia is similar to Copy Fail and Dirty Frag (aka Copy Fail 2) in that it immediately yields root on all major distributions by achieving a memory write primitive in the kernel and corrupting the page cache memory of the /usr/bin/su binary. A proof-of-concept (PoC) exploit has been released by V12.
Systems can apply temporary mitigation by disabling vulnerable ESP modules through module blacklist matching Dirty Frag protections. AlmaLinux and CloudLinux released patched kernels for supported releases while Ubuntu patch status remains needs evaluation across all releases.
