New Fragnesia Linux flaw lets attackers gain root privileges
Fragnesia Linux kernel flaw (CVE-2026-46300) enables local privilege escalation to root.
Summary
A new high-severity Linux kernel vulnerability called Fragnesia (CVE-2026-46300) allows unprivileged local attackers to gain root privileges through a logic bug in the XFRM ESP-in-TCP subsystem. Discovered by Zellic's William Bowling, the flaw enables arbitrary byte writes to the kernel page cache of read-only files and is part of the Dirty Frag vulnerability class. Linux distributions are rolling out patches, and users unable to patch immediately are advised to disable vulnerable kernel modules as a mitigation.
Full text
New Fragnesia Linux flaw lets attackers gain root privileges By Sergiu Gatlan May 14, 2026 03:34 AM 0 Linux distros are rolling out patches for a new high-severity kernel privilege escalation vulnerability that allows attackers to run malicious code as root. Known as Fragnasia and tracked as CVE-2026-46300, this security flaw stems from a logic bug in the Linux XFRM ESP-in-TCP subsystem that can enable unprivileged local attackers to gain root privileges by writing arbitrary bytes to the kernel page cache of read-only files. Zellic's head of assurance, William Bowling, who discovered this new universal local privilege escalation flaw, also shared a proof-of-concept (PoC) exploit that achieves a memory-write primitive in the kernel that is used to corrupt the page cache memory of the /usr/bin/su binary to get a shell with root privileges on vulnerable systems. Bowling said this flaw belongs to the Dirty Frag vulnerability class, which was disclosed last week, and affects all Linux kernels released before May 13, 2026. Just as Fragnasia, Dirty Frag has a publicly available PoC exploit that local attackers can use to gain root privileges on major Linux distributions. However, Dirty Frag works by chaining two separate kernel flaws, the xfrm-ESP Page-Cache Write vulnerability (CVE-2026-43284) and a RxRPC Page-Cache Write security issue (CVE-2026-43500), to achieve privilege escalation by modifying protected system files in memory. "Fragnesia is a member of the Dirty Frag vulnerability class. This is a separate bug in the ESP/XFRM from dirtyfrag which has received its own patch. However, it is in the same surface and the mitigation is the same as for dirtyfrag," Bowling said. "It abuses a logic bug in the Linux XFRM ESP-in-TCP subsystem to achieve arbitrary byte writes into the kernel page cache of read-only files, without requiring any race condition." another day, another universal linux LPE https://t.co/GANYkAJwZS pic.twitter.com/XfzTsmg7kl — V12 (@v12sec) May 13, 2026 To secure systems against attacks, Linux users are advised to apply kernel updates for their environment as soon as possible. Those who can't immediately patch their devices should use the same mitigation used for Dirty Frag commands to remove vulnerable kernel modules (however, it's important to note that this will break AFS distributed network file systems and IPsec VPNs): rmmod esp4 esp6 rxrpc printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf Fragnasia's disclosure comes as Linux distros are still rolling out patches for "Copy Fail," another privilege escalation vulnerability now actively exploited in the wild. CISA added Copy Fail to its catalog of flaws exploited in attacks on May 1 and ordered federal agencies to secure their Linux systems within two weeks, by May 15. "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," the U.S. cybersecurity agency warned. "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable." In April, Linux distros patched another root-privilege escalation vulnerability (dubbed Pack2TheRoot) in the PackageKit daemon that had gone unnoticed for a decade. 99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. Claim Your Spot Related Articles: New Linux 'Dirty Frag' zero-day gives root on all major distrosCISA says ‘Copy Fail’ flaw now exploited to root Linux systemsNew Linux ‘Copy Fail’ flaw gives hackers root on major distrosRecently leaked Windows zero-days now exploited in attacksNew ‘Pack2TheRoot’ flaw gives hackers root Linux access
Indicators of Compromise
- cve — CVE-2026-46300
- cve — CVE-2026-43284
- cve — CVE-2026-43500