Full Report
Fresh kernel flaw comes with public exploit code and continues ugly run of highly reliable privilege escalation bugs tied to memory and page-cache handling
Analysis Summary
# Vulnerability: Fragnesia (Linux Kernel ESP-in-TCP Page Cache Corruption)
## CVE Details
- **CVE ID:** CVE-2026-46300
- **CVSS Score:** 7.8 (High) - *Estimate based on typical Local Privilege Escalation (LPE) metrics*
- **CWE:** CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) / CWE-822 (Untrusted Pointer Dereference)
## Affected Systems
- **Products:** Linux Kernel (XFRM subsystem)
- **Versions:** Multiple versions across major distributions; specifically those that received the initial "Dirty Frag" patches.
- **Configurations:** Systems with IPsec support enabled, specifically utilizing ESP-in-TCP processing.
- **Affected Distributions:** AlmaLinux (all supported), Amazon Linux, CloudLinux, Debian, Gentoo, RHEL, SUSE, and Ubuntu.
## Vulnerability Description
Fragnesia is a local privilege escalation (LPE) flaw residing in the Linux kernel’s XFRM subsystem. The flaw is specifically tied to how the kernel handles Encapsulating Security Payload (ESP) over TCP processing for IPsec.
Technically, the bug allows an unprivileged user to corrupt the page cache. By manipulating this memory handling, an attacker can modify data from protected, read-only files (such as `/etc/passwd` or binaries like `/usr/bin/su`) within memory. Because the page cache is altered, the system executes the corrupted data in RAM even if the source file on the disk remains unchanged.
Notably, this vulnerability was introduced as a side effect (regression) of the patches intended to fix the preceding "Dirty Frag" vulnerability.
## Exploitation
- **Status:** PoC available. Public exploit code has been released by V12 security.
- **Complexity:** Low. Unlike many LPEs, this exploit excludes race conditions, making it highly reliable and predictable.
- **Attack Vector:** Local. The attacker must already have unprivileged access to the system (e.g., via a shell, compromised container, or web application).
## Impact
- **Confidentiality:** High (Ability to read sensitive files via modified memory state).
- **Integrity:** High (Ability to modify memory-resident versions of system files like `/etc/passwd`).
- **Availability:** High (Potential for system instability, though primarily used for privilege escalation).
## Remediation
### Patches
- Administrators should monitor upstream kernel releases and specific distribution advisory pages for the latest kernel updates.
- **AlmaLinux:** Patch all supported releases immediately.
- **RHEL/Ubuntu/Debian:** Follow distribution-specific security trackers for kernel package updates.
### Workarounds
- **Disable XFRM/ESP:** If IPsec functionality is not required, disable or restrict ESP-related functionality within the networking stack.
- **Restricted Access:** Implement strict local user access controls to minimize the footprint of unprivileged accounts.
## Detection
- **Indicators of Compromise:** Unusual modifications to the behavior of SUID binaries (like `su` or `sudo`) that do not match the hashes of the files on disk.
- **Detection methods and tools:**
- Use Auditd to monitor for suspicious calls to XFRM/ESP-related functions.
- Monitor for unauthorized modification of sensitive files in memory.
- Security tools (like Wiz or Falcon) can be used to scan for vulnerable kernel versions.
## References
- Wiz Advisory: hxxps[://]www[.]wiz[.]io/blog/fragnesia-linux-kernel-local-privilege-escalation-via-esp-in-tcp
- V12 Security PoC: hxxps[://]github[.]com/v12-security/pocs/tree/main/fragnesia
- AlmaLinux Advisory: hxxps[://]almalinux[.]org/blog/2026-05-13-fragnesia-cve-2026-46300/
- Microsoft Security Intelligence: hxxps[://]x[.]com/MsftSecIntel/status/2054701609024934064