Fragnesia: New Linux Kernel LPE Bug Gives Attackers Reliable Root Access Without Race Conditions
A newly disclosed Linux kernel privilege escalation vulnerability dubbed Fragnesia (CVE-2026-46300) allows unprivileged attackers to reliably gain root access by corrupting page cache memory, with public exploit code already available.
Linux administrators still reeling from the Dirty Frag vulnerabilities now face a sequel that may be even more dangerous. Researchers at Wiz have published an analysis of "Fragnesia," a Linux kernel local privilege escalation (LPE) flaw discovered by William Bowling of the V12 security team. Tracked as CVE-2026-46300, the vulnerability allows unprivileged users to gain root access by corrupting page cache memory, and public proof-of-concept exploit code is already available on GitHub.
The bug resides in the Linux kernel's XFRM subsystem, specifically in the ESP-in-TCP processing used for IPsec support. By carefully triggering the flaw, attackers can modify protected file data in memory without altering the original files stored on disk. This means an attacker who has already gained initial access through phishing, stolen credentials, or a vulnerable cloud workload can escalate to full root privileges with high reliability.
What makes Fragnesia particularly alarming is its reliability. Unlike older Linux root exploits such as Dirty COW, which required precise timing and often crashed the system, Fragnesia avoids race conditions entirely. According to Wiz and V12, the exploit is far more predictable and stable, making it much more useful for attackers after an initial compromise. The V12 proof-of-concept repository demonstrates the vulnerability being used against /usr/bin/su to spawn a root shell.
Fragnesia emerged as an unintended side effect of patches shipped to fix the original Dirty Frag vulnerabilities, which themselves surfaced only days ago. Dirty Frag was already attracting attention due to public exploit code, incomplete patch coverage, and unusually reliable privilege escalation. According to researcher Hyunwoo Kim, who uncovered Dirty Frag, this new bug adds yet another entry to the long tradition of security fixes accidentally creating new security problems.
Multiple Linux vendors have issued advisories and mitigation guidance. AlmaLinux warned that all supported releases are affected and urged administrators to patch quickly or disable unused ESP-related functionality where possible. Similar advisories have been issued by Amazon Linux, CloudLinux, Debian, Gentoo, Red Hat Enterprise Linux, SUSE, and Ubuntu as distributors scramble to assess exposure across supported kernel versions. Microsoft also urged organizations to patch quickly, noting that though it had not observed in-the-wild exploitation so far, Fragnesia "can modify any file readable by the user, including /etc/passwd."
The discovery of Fragnesia follows hot on the heels of Copy Fail, another Linux kernel privilege escalation flaw that abused page cache handling to overwrite supposedly read-only files. The Linux networking stack is increasingly becoming a rich target for attackers, with multiple high-impact LPE bugs emerging in rapid succession. Administrators are advised to prioritize patching and review their use of ESP-in-TCP IPsec functionality as a potential attack surface.