top of page

New Fragnesia Linux Kernel LPE Vulnerability Grants Root Access Through Page Cache Corruption

  • May 14
  • 3 min read

Key Findings


  • CVE-2026-46300 (Fragnesia) is a new Linux kernel LPE vulnerability with CVSS score 7.8 that grants unprivileged attackers root access via page cache corruption

  • The flaw exists in the XFRM ESP-in-TCP subsystem and was discovered by William Bowling of the V12 security team

  • Unlike the related Dirty Frag vulnerability, Fragnesia requires no host-level privileges for exploitation

  • This is the third major Linux kernel LPE discovered in two weeks, following Copy Fail and Dirty Frag

  • A public proof-of-concept exploit is available, heightening exploitation risk

  • No in-the-wild attacks have been observed yet, but patches are available from all major Linux distributions


Background


Fragnesia represents the latest in a concerning wave of privilege escalation vulnerabilities affecting the Linux kernel. Discovered by researcher William Bowling of the V12 security team and analyzed by Google-owned Wiz, this flaw joins Copy Fail and Dirty Frag as critical LPE bugs identified within a two-week timeframe. The vulnerability affects a core networking component that handles encrypted traffic, making it a widespread threat across Linux infrastructure.


Technical Details of the Vulnerability


The vulnerability exploits a logic flaw in the Linux XFRM ESP-in-TCP subsystem. Specifically, it abuses improper handling of shared page fragments during socket buffer coalescing. The attack works by splicing file-backed pages into a TCP receive queue before the socket transitions into ESP-in-TCP mode. Once encryption processing is enabled, the kernel decrypts queued data in-place, allowing attackers to corrupt the underlying page cache through AES-GCM keystream manipulation. This enables arbitrary byte writes into the kernel page cache of read-only files without requiring race conditions or precise timing attacks.


Exploitation Method and Impact


Attackers with unprivileged local access can deterministically corrupt the page cache to modify read-only file contents and gain root access. The attack reliably provides complete system compromise on all major Linux distributions by targeting the /usr/bin/su binary. A proof-of-concept exploit released by V12 demonstrates the reliability of the attack. Unlike Dirty Frag, Fragnesia requires no host-level privileges, making it accessible to a broader range of attackers on vulnerable systems.


Affected Distributions and Patches


Multiple Linux vendors have released security advisories and patches, including Debian, Ubuntu, Red Hat Enterprise Linux, SUSE, Amazon Linux, AlmaLinux, CloudLinux, and Gentoo. Organizations that previously applied Dirty Frag mitigations may not be protected against Fragnesia, as this is a separate vulnerability affecting the same attack surface. Red Hat is conducting additional assessments to determine if existing mitigations provide coverage.


Mitigation Strategies


For systems that cannot be immediately patched, several mitigation approaches are recommended. These include disabling unnecessary XFRM and IPsec functionality, particularly esp4 and esp6 modules. Administrators should also restrict local shell access to trusted users, harden containerized workloads, and increase monitoring for abnormal privilege escalation activity. AppArmor restrictions on unprivileged user namespaces may provide partial mitigation but require additional bypasses for complete protection. Microsoft and other security organizations have emphasized that patching should be prioritized whenever possible.


Current Threat Landscape


The vulnerability emerges amid broader concerns about Linux kernel security. A cybercriminal named "berz0k" has been advertising on dark web forums what is claimed to be a separate Linux LPE zero-day exploit for $170,000, allegedly working across multiple major distributions. This suggests attackers are actively seeking and developing Linux privilege escalation capabilities, though no confirmed exploitation of Fragnesia in the wild has been reported to date. The public availability of a proof-of-concept exploit increases the likelihood of rapid weaponization.


Sources


  • https://thehackernews.com/2026/05/new-fragnesia-linux-kernel-lpe-grants.html

  • https://securityaffairs.com/192145/uncategorized/linux-kernel-bug-fragnesia-allows-local-root-access-attacks.html

  • https://www.reddit.com/r/SecOpsDaily/comments/1tc0rtn/fragnesia_linux_kernel_local_privilege_escalation/

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page