New Fragnesia Linux Flaw Lets Attackers Gain Root Privileges
A high-severity Linux kernel privilege escalation vulnerability, CVE-2026-46300, dubbed Fragnesia, allows unprivileged local attackers to gain root access via a logic bug in the XFRM ESP-in-TCP subsystem.
Linux distributions are rolling out urgent patches for a new high-severity kernel privilege escalation vulnerability that lets unprivileged local attackers gain full root privileges. Tracked as CVE-2026-46300 and named Fragnesia, the flaw is a logic bug in the Linux XFRM ESP-in-TCP subsystem that enables arbitrary byte writes to the kernel page cache of read-only files. Discovered by William Bowling, head of assurance at Zellic, a proof-of-concept (PoC) exploit is already publicly available, raising the risk of widespread exploitation.
Fragnesia belongs to the Dirty Frag vulnerability class, which was disclosed just last week. While the original Dirty Frag flaw chains two separate kernel bugs (CVE-2026-43284 and CVE-2026-43500) to achieve privilege escalation, Fragnesia is a standalone bug in the same attack surface. "It abuses a logic bug in the Linux XFRM ESP-in-TCP subsystem to achieve arbitrary byte writes into the kernel page cache of read-only files, without requiring any race condition," Bowling explained. The PoC exploit corrupts the page cache memory of the /usr/bin/su binary to spawn a root shell.
All Linux kernels released before May 13, 2026 are affected. Major distributions including Debian, Ubuntu, Red Hat, and SUSE are now pushing kernel updates to address the flaw. For systems that cannot be immediately patched, administrators can apply the same mitigation used for Dirty Frag: removing the vulnerable kernel modules (esp4, esp6, rxrpc) via rmmod and blacklisting them in /etc/modprobe.d/dirtyfrag.conf. However, this will break AFS distributed network file systems and IPsec VPNs.
The disclosure of Fragnesia comes as Linux distributions are still rolling out patches for "Copy Fail," another privilege escalation vulnerability that is now actively exploited in the wild. CISA added Copy Fail to its Known Exploited Vulnerabilities catalog on May 1, ordering federal agencies to secure their Linux systems by May 15. "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," the agency warned.
In April, Linux distributions patched another root-privilege escalation vulnerability dubbed Pack2TheRoot in the PackageKit daemon that had gone unnoticed for a decade. The rapid succession of Linux kernel LPE flaws highlights the growing challenge of securing the kernel's complex attack surface, especially as AI-powered bug-hunting tools flood maintainers with reports. Linus Torvalds recently described the kernel's security mailing list as "almost entirely unmanageable" due to duplicate AI-generated reports.
Bowling's discovery and public PoC mean that Fragnesia is likely to be incorporated into exploit kits used by penetration testers and, potentially, malicious actors. Users are strongly advised to apply kernel updates as soon as they become available for their distribution. The vulnerability underscores the critical importance of timely patching for Linux systems, particularly those that cannot be patched immediately should implement the module blacklist mitigation to reduce exposure.