Full Report
Details have emerged about a new variant of the recent Dirty Frag Linux local privilege escalation (LPE) vulnerability that allows local attackers to gain root access, making it the third such bug to be identified in the kernel within a span of two weeks. Codenamed Fragnesia, the security vulnerability is tracked as CVE-2026-46300 (CVSS score: 7.8) and is rooted in the Linux kernel's XFRM
Analysis Summary
# Vulnerability: Fragnesia Linux Kernel Local Privilege Escalation
## CVE Details
- **CVE ID:** CVE-2026-46300
- **CVSS Score:** 7.8 (High)
- **CWE:** Logic Bug / Memory Corruption (Specific CWE not listed, but refers to page cache corruption)
## Affected Systems
- **Products:** Linux Kernel
- **Versions:** Vulnerable versions include those using the XFRM ESP-in-TCP subsystem (specific version ranges should be verified via distribution advisories).
- **Configurations:** Systems with unprivileged user namespaces enabled; specifically those utilizing IPsec/XFRM functionality.
- **Affected Distributions:**
- AlmaLinux
- Amazon Linux
- CloudLinux
- Debian
- Gentoo
- Red Hat Enterprise Linux (RHEL)
- SUSE
- Ubuntu
## Vulnerability Description
Fragnesia is a logic vulnerability located in the Linux kernel's **XFRM ESP-in-TCP subsystem**. Unlike its predecessor "Dirty Frag," this flaw is deterministic and does not require a race condition to succeed. It allows an attacker to achieve a memory write primitive, specifically enabling the modification of read-only file contents within the **kernel page cache**. By corrupting the page cache of sensitive binaries (such as `usr/bin/su`), an unprivileged user can escalate their privileges to root.
## Exploitation
- **Status:** PoC available (Released by V12 Security)
- **Complexity:** Low (Deterministic; no race condition required)
- **Attack Vector:** Local
## Impact
- **Confidentiality:** High (Full system access via root)
- **Integrity:** High (Ability to modify read-only system files)
- **Availability:** High (Potential for system instability or total takeover)
## Remediation
### Patches
- Patches are available from major Linux distributions. Users should update their kernels immediately using standard package managers (e.g., `apt upgrade`, `dnf update`).
### Workarounds
If patching is not immediately possible, apply the following mitigations:
- Disable `esp4` and `esp6` kernel modules.
- Disable or restrict XFRM/IPsec functionality if not required.
- Restrict unprivileged user namespaces (may serve as a partial mitigation).
- Disable or limit local shell access for untrusted users.
## Detection
- **Indicators of Compromise:** Monitor for abnormal privilege escalation activity and unauthorized use of the `su` or `sudo` commands.
- **Detection methods:** Audit system logs for unexpected modification of page cache or system binaries. Monitor for the creation of suspicious shared object (`.so`) files in `/tmp`.
## References
- AlmaLinux Advisory: hxxps://almalinux[.]org/blog/2026-05-13-fragnesia-cve-2026-46300/
- Wiz Research Blog: hxxps://www[.]wiz[.]io/blog/fragnesia-linux-kernel-local-privilege-escalation-via-esp-in-tcp
- Red Hat Security: hxxps://access[.]redhat[.]com/security/cve/cve-2026-46300
- Ubuntu Security: hxxps://ubuntu[.]com/security/CVE-2026-46300
- V12 Security PoC: hxxps://github[.]com/v12-security/pocs/blob/main/fragnesia/README[.]md