Fragnesia (CVE-2026-46300): New Linux Kernel LPE Vulnerability Spawned by Dirty Frag Patch
A new Linux kernel local privilege escalation vulnerability dubbed 'Fragnesia' (CVE-2026-46300) was accidentally introduced by the patch for the Dirty Frag bugs, with a public PoC already available for Ubuntu systems.
Security researchers have disclosed CVE-2026-46300, a new local privilege escalation (LPE) vulnerability in the Linux kernel dubbed "Fragnesia." The flaw affects the same xfrm-ESP module as the recently disclosed Dirty Frag vulnerabilities and was, according to Dirty Frag discoverer Hyunwoo Kim, "accidentally activated" by the patch that fixed CVE-2026-43284, one of the original Dirty Frag bugs.
Fragnesia was discovered by William Bowling of Zellic.io using the company's AI-agentic software auditing tool. A public proof-of-concept exploit has been released and has been confirmed working on Ubuntu systems, though no in-the-wild exploitation has been reported to date. The vulnerability carries a high severity rating and allows an attacker with local access to escalate privileges to root on affected systems.
A kernel patch was released on May 13, 2026, addressing the flaw. Tenable noted that while the existing Dirty Frag patches do not address Fragnesia, the module blacklist mitigation that protects against Dirty Frag also protects against this new vulnerability. The disclosure highlights the risk of patch-induced regressions, where fixes for one vulnerability inadvertently introduce new security flaws.
Organizations running Linux systems, particularly those using the xfrm-ESP module for IPsec processing, should apply the latest kernel updates promptly. The availability of a public PoC increases the risk of weaponization by threat actors, even though no active exploitation has been observed yet. The Fragnesia case serves as a cautionary tale about the complexity of kernel security and the unintended consequences of vulnerability patches.