Full Report
A new page-cache corruption vulnerability in the Dirty Frag family enables unprivileged local attackers to achieve root
Analysis Summary
# Vulnerability: Fragnesia - Linux Kernel Local Privilege Escalation via ESP-in-TCP
## CVE Details
- **CVE ID**: Not explicitly provided in article (Identified as a new variant in the "Dirty Frag" family; often associated with subsequent patches to the original Dirty Frag CVEs).
- **CVSS Score**: Not specified (High/Critical based on local root achievement).
- **CWE**: CWE-403 (Exposure of Sensitive Information to an Unauthorized Actor) / CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) - specifically Page Cache Corruption.
## Affected Systems
- **Products**: Linux Kernel
- **Versions**: Recent kernels implementing XFRM ESP-in-TCP (Specifically those patched for the original Dirty Frag, as this is a regression/side-effect).
- **Configurations**: Systems where unprivileged user namespaces are enabled and the ESP-in-TCP (XFRM) subsystem is accessible.
## Vulnerability Description
Fragnesia is a logic flaw within the Linux kernel's **XFRM ESP-in-TCP** implementation. It involves the improper handling of shared page fragments during socket buffer (skb) coalescing.
The flaw allows an attacker to "splice" file-backed pages (from the host's read-only files) into a TCP receive queue before a socket transitions into `espintcp` mode. When ESP processing is activated, the kernel performs in-place decryption of the queued data. This causes a controlled corruption of the underlying **page cache** via AES-GCM keystream manipulation. Because the corruption occurs in the page cache memory and not on the physical disk, the attacker can temporarily modify the code of sensitive binaries (like `/usr/bin/su`) to grant root access.
## Exploitation
- **Status**: PoC available (demonstrated by researchers).
- **Complexity**: Medium (Requires specific sequence of namespace creation and socket manipulation).
- **Attack Vector**: Local (Requires local shell access to the target system).
## Impact
- **Confidentiality**: High (Provides full root access to the system).
- **Integrity**: High (Allows modification of read-only cached files/binaries).
- **Availability**: High (Potential for system instability or permanent denial of service).
## Remediation
### Patches
- Users should apply vendor-specific kernel updates addressing the XFRM ESP-in-TCP subsystem as they become available.
### Workarounds
- **Disable vulnerable modules**: If not required, disable `esp4`, `esp6`, and `rxrpc` by adding them to the modprobe blacklist:
bash
printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/fragnesia.conf
- **Restrict User Namespaces**: Restrict or disable unprivileged user namespaces (e.g., via `sysctl -w kernel.unprivileged_userns_clone=0` on supported distributions).
- **AppArmor**: Ensure AppArmor restrictions on unprivileged user namespaces are active (default in Ubuntu).
## Detection
- **Indicators of Compromise**:
- Unexpected use of `CAP_NET_ADMIN` within new user/network namespaces.
- Unusual `NETLINK_XFRM` activity or abnormal use of `AF_ALG`.
- **Mitigation/Recovery**:
- If exploitation is suspected, a system reboot will clear the corrupted page cache.
- Alternatively, manually flush the page cache: `echo 1 | tee /proc/sys/vm/drop_caches`.
## References
- Wiz Blog: hxxps[://]www[.]wiz[.]io/blog/fragnesia-linux-kernel-local-privilege-escalation-via-esp-in-tcp
- Disclosure/PoC Repo: hxxps[://]github[.]com/v12-security/pocs/blob/main/fragnesia/README.md
- Original Dirty Frag Research: hxxps[://]www[.]wiz[.]io/blog/dirty-frag-linux-kernel-local-privilege-escalation-via-esp-and-rxrpc