New Linux Kernel Vulnerability Fragnesia Allows Root Privilege Escalation
A newly disclosed Linux kernel vulnerability, CVE-2026-46300, allows local attackers to escalate privileges to root by exploiting a memory write primitive in the XFRM ESP-in-TCP subsystem.
Linux distributions are rolling out patches for a critical kernel vulnerability that allows local attackers to escalate privileges to root. Tracked as CVE-2026-46300 and dubbed Fragnesia, the flaw resides in the kernel's XFRM ESP-in-TCP subsystem, which handles Encapsulating Security Payload (ESP) traffic over TCP connections. Microsoft's threat intelligence team, which disclosed the vulnerability, described it as enabling an unprivileged attacker to achieve a memory write primitive in the kernel.
Fragnesia is the latest in a series of similar vulnerabilities, following Dirty Frag and Copy Fail. Like its predecessors, Fragnesia exploits a weakness in the XFRM subsystem to corrupt kernel memory. The attacker uses this primitive to overwrite the page cache of sensitive binaries such as /usr/bin/su, ultimately launching a shell with root privileges. Microsoft noted that exploitation is not limited to the su binary; an attacker could modify any file readable by the user, including /etc/passwd, to gain persistent elevated access.
A proof-of-concept (PoC) exploit has been released, but as of the latest reports, there is no confirmed in-the-wild exploitation of Fragnesia. However, the availability of a PoC significantly lowers the barrier for attackers, making it imperative for organizations to patch quickly. Microsoft urged administrators to apply available patches as soon as possible, warning that the vulnerability affects a majority of Linux distributions.
The disclosure comes on the heels of related vulnerabilities that have seen active exploitation. Copy Fail has been exploited in the wild, and Microsoft reported on May 8 that its Defender product had observed limited in-the-wild activity potentially linked to either Dirty Frag or Copy Fail. While no such activity has been confirmed for Fragnesia, the pattern underscores the persistent risk posed by kernel-level privilege escalation flaws.
Most major Linux distributions have begun releasing patches for CVE-2026-46300. System administrators are advised to update their kernels immediately and monitor for any signs of exploitation. The vulnerability is classified as high severity due to the ease of local privilege escalation and the availability of a working exploit.
Fragnesia highlights the ongoing challenge of securing the Linux kernel's complex networking subsystems. The XFRM framework, used for IPsec and other security protocols, has been a recurring source of vulnerabilities. As attackers increasingly target kernel-level flaws to bypass user-space security controls, timely patching remains the most effective defense.