New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption (CVE-2026-46300 (CVSS 7.8))

Introduction

Details have emerged regarding Fragnesia, a new local privilege escalation (LPE) vulnerability in the Linux kernel. This flaw, identified as CVE-2026-46300 with a CVSS score of 7.8, allows unprivileged local attackers to gain root access. The discovery of Fragnesia marks the third such LPE bug identified in the Linux kernel within a span of two weeks, indicating persistent challenges in kernel security.

The vulnerability is rooted in the Linux kernel's XFRM ESP-in-TCP subsystem. It represents a variant of the recently disclosed Dirty Frag LPE, sharing similar characteristics in its exploitation mechanism. Fragnesia specifically achieves root privileges through a deterministic page-cache corruption primitive.

This vulnerability shows the need for timely patching and continuous threat intelligence monitoring to address important kernel-level flaws. Understanding Fragnesia's technical specifics and implications is important for maintaining system integrity across Linux environments.

What is CVE-2026-46300 and why is it critical?

CVE-2026-46300, codenamed Fragnesia, is a local privilege escalation vulnerability in the Linux kernel's XFRM ESP-in-TCP subsystem. It is critical because it enables unprivileged local attackers to modify read-only file contents within the kernel page cache, leading directly to root privileges. Discovered by William Bowling of the V12 security team, this flaw bypasses traditional security boundaries.

The vulnerability operates by abusing a logic bug within the XFRM ESP-in-TCP subsystem. Unlike some prior LPEs, Fragnesia achieves arbitrary byte writes into the kernel page cache of read-only files without requiring any race condition. This deterministic nature simplifies exploitation, making it a significant concern for systems exposed to local users or compromised applications.

Fragnesia is conceptually similar to earlier Linux kernel LPEs such as Copy Fail and Dirty Frag. All these vulnerabilities use memory write primitives in the kernel to corrupt the page cache memory. In the case of Fragnesia, a common exploitation vector involves targeting the /usr/bin/su binary to immediately yield root access across major distributions. PurpleOps has previously detailed related Linux kernel flaws, including the Dirty Frag privilege escalation and the original Dirty Frag Linux vulnerability, as well as CVE-2026-31431, which involved memory corruption similar to the page cache corruption mechanism seen in Fragnesia.

Technical Details of Fragnesia (CVE-2026-46300)

Fragnesia, tracked as CVE-2026-46300 with a CVSS score of 7.8, allows local attackers to achieve root access by corrupting the Linux kernel's page cache. This vulnerability stems from a logic flaw in the kernel's XFRM ESP-in-TCP subsystem, a component primarily used for IPsec (Internet Protocol Security) encapsulating security payload over TCP.

The core mechanism involves a deterministic page-cache corruption primitive. The kernel's page cache temporarily stores data from disk to accelerate subsequent access. By manipulating the ESP-in-TCP subsystem, an unprivileged local attacker can force the kernel to write arbitrary data to a cached read-only file. This modification persists in the cache and affects any process attempting to execute the altered file.

  • Vulnerability Type: Local Privilege Escalation (LPE)
  • CVE ID: CVE-2026-46300
  • CVSS Score: 7.8
  • Discovery: William Bowling, V12 security team
  • Affected Component: Linux kernel's XFRM ESP-in-TCP subsystem
  • Attack Vector: Local, unprivileged access
  • Mechanism: Logic bug enabling deterministic page-cache corruption of read-only files
  • Prerequisites: No race condition required for exploitation.

A proof-of-concept (PoC) exploit for Fragnesia has been released by the V12 security team. This PoC demonstrates the ability to corrupt the page cache of critical system binaries, such as /usr/bin/su, to inject malicious code or alter its behavior, thereby granting root privileges to the unprivileged attacker. This method directly undermines the system's access control mechanisms.

Advisories for CVE-2026-46300 have been released by numerous Linux distributions, confirming the broad impact of this vulnerability:

  • AlmaLinux
  • Amazon Linux
  • CloudLinux
  • Debian
  • Gentoo
  • Red Hat Enterprise Linux
  • SUSE
  • Ubuntu

While Fragnesia is a distinct bug from Dirty Frag, it resides within the same attack surface (ESP/XFRM subsystem). This implies that some mitigations applicable to Dirty Frag may also offer protection against Fragnesia. Unlike some other LPEs, Fragnesia does not require host-level privileges for successful exploitation. This makes it a more accessible target for malicious actors once local access is achieved.

Exploitation and Impact

Exploitation of Fragnesia (CVE-2026-46300) allows unprivileged local attackers to gain root access on affected Linux systems. The core of the exploitation involves corrupting the kernel's page cache for read-only files, a critical system resource. This process bypasses standard privilege checks and grants the attacker elevated permissions.

The method for exploitation typically involves targeting executables like /usr/bin/su. By modifying this binary's cached version, an attacker can ensure that the next execution of su by any user grants root access to their process. This direct path to root access can be achieved across major Linux distributions. The existence of a public proof-of-concept (PoC) exploit from V12 Security further increases the immediate risk.

While no in-the-wild exploitation of Fragnesia has been observed at this time, the rapid emergence of similar LPE vulnerabilities, such as Dirty Frag and Copy Fail, indicates a potential trend in attacker focus. The availability of a PoC often precedes active exploitation in real-world scenarios. This requires a proactive approach to breach detection and vulnerability management.

The broader context of Linux LPEs is illustrated by reports of a threat actor named "berz0k" advertising a zero-day Linux LPE exploit on cybercrime forums for $170,000. ThreatMon reported on this activity, noting that the vulnerability is claimed to be TOCTOU-based (Time-of-Check Time-of-Use) and capable of stable local privilege escalation without system crashes. The exploit reportedly uses a shared object (.so) payload dropped into the /tmp directory. While it is unconfirmed if "berz0k's" offering directly relates to Fragnesia, the presence of such offerings on platforms monitored by underground forum intelligence shows the market for Linux kernel exploits. The potential for such exploits to be integrated into broader attack campaigns, including those targeting supply chain risk monitoring, is a concern.

The impact of a successful Fragnesia exploit includes:

  • Complete System Compromise: Root access allows an attacker to control the entire system, install malware, steal data, or disrupt operations.
  • Data Exfiltration: Access to sensitive information, potentially leading to brand leak incidents.
  • Persistence: Establishment of backdoors or other persistent access mechanisms.
  • Lateral Movement: Use of the compromised system as a pivot point for further attacks within a network.
  • Operational Disruption: Interference with critical services and applications.

Google-owned Wiz provided detailed analysis of Fragnesia, confirming its nature and impact. The similarity to Dirty Frag suggests that organizations that have already prepared for Dirty Frag's exploitation might have a head start in addressing Fragnesia. However, a specific patch is still the most direct and complete remediation.

Mitigation and Patches

Addressing Fragnesia (CVE-2026-46300) requires applying vendor-supplied patches and implementing specific mitigation strategies. While a patch is now available, its widespread deployment across all distributions takes time. Organizations should prioritize these actions to reduce exposure to this local privilege escalation vulnerability.

Microsoft has urged users and organizations to apply the patch as soon as possible by running update tools. For situations where immediate patching is not feasible, similar mitigations to those for Dirty Frag are recommended. CloudLinux maintainers have stated that customers who already applied the Dirty Frag mitigation need no further action until patched kernels are released for Fragnesia. Red Hat is performing an assessment to confirm if existing Dirty Frag mitigations extend to CVE-2026-46300.

Recommended mitigation steps include:

  • Apply Vendor Patches: Update the Linux kernel to versions that include the fix for CVE-2026-46300. Consult distribution-specific advisories for patch availability and instructions.
  • Disable XFRM/IPsec Functionality: If not required, disable esp4, esp6, and related xfrm/IPsec functionality. This directly addresses the vulnerable component of the kernel.
  • This can often be achieved by preventing the loading of relevant kernel modules (e.g., xfrm_interface, xfrm_state, xfrm_algo, esp).
  • Consider modprobe -r commands or blacklisting modules if IPsec is not used.
  • Restrict Local Shell Access: Limit unnecessary local shell access for unprivileged users. This reduces the attack surface for any local privilege escalation attempt.
  • Harden Containerized Workloads: Implement stringent security policies for containers, especially regarding user namespaces. AppArmor restrictions on unprivileged user namespaces may serve as a partial mitigation, requiring additional bypasses for successful exploitation of Fragnesia.
  • Increase Monitoring: Enhance monitoring for abnormal privilege escalation activity on Linux systems. Look for unusual process behavior, unexpected changes to critical files, or attempts to execute su or sudo from untrusted contexts.

These mitigations aim to either remove the vulnerability's attack vector or detect and prevent its exploitation. Given that no host-level privileges are required for Fragnesia, it is important to address the flaw even on systems with strong network perimeters. Regular updates and a defense-in-depth approach remain essential for maintaining security against such kernel-level vulnerabilities. Organizations should use real-time ransomware intelligence and dark web monitoring capabilities to stay informed about emerging threats and exploit developments related to such important vulnerabilities. For example, PurpleOps' live ransomware API and telegram threat monitoring provide up-to-the-minute information on threat actor discussions and exploit availability, which can inform patch prioritization.

Technical Takeaways

  • Fragnesia (CVE-2026-46300, CVSS 7.8) is a Linux kernel LPE in the XFRM ESP-in-TCP subsystem.
  • It allows unprivileged local attackers to achieve root access via deterministic page-cache corruption of read-only files.
  • A public proof-of-concept (PoC) exploit exists, targeting /usr/bin/su for immediate root compromise.
  • The vulnerability is distinct but shares similarities and mitigation strategies with Dirty Frag and Copy Fail.
  • Major Linux distributions have released advisories, and patches are available or pending.
  • Mitigation involves applying patches, disabling unneeded XFRM/IPsec functionality, restricting local access, hardening containers, and enhancing privilege escalation monitoring.