Fragnasia Linux privilege escalation flaw enables root access via XFRM ESP-in-TCP logic bug
Summary
Hide ▲
Show ▼
A high-severity logic bug in the Linux XFRM ESP-in-TCP subsystem, tracked as CVE-2026-46300 and named Fragnasia, allows unprivileged local attackers to gain root privileges by corrupting the kernel page cache of read-only files, including critical binaries like /usr/bin/su. Discovered by William Bowling of Zellic, the vulnerability is the second known member of the Dirty Frag vulnerability class and provides a direct memory-write primitive to overwrite kernel page cache memory without requiring race conditions. All Linux kernels released before May 13, 2026 are affected. A proof-of-concept exploit has been publicly released, enabling attackers to achieve root shells on vulnerable systems.
Timeline
-
14.05.2026 10:34 1 articles · 2h ago
Linux XFRM ESP-in-TCP logic bug (CVE-2026-46300, Fragnasia) disclosed with public PoC and patches underway
A high-severity logic bug in the Linux XFRM ESP-in-TCP subsystem, tracked as CVE-2026-46300 and dubbed Fragnasia, was disclosed with a public proof-of-concept exploit. The vulnerability allows unprivileged local attackers to gain root privileges by corrupting kernel page cache memory of read-only system files. Patches are being released by Linux distributions, while a mitigation script for removing vulnerable modules is available but breaks IPsec VPNs and AFS file systems.
Show sources
- New Fragnesia Linux flaw lets attackers gain root privileges — www.bleepingcomputer.com — 14.05.2026 10:34
Information Snippets
-
CVE-2026-46300 (Fragnasia) is a logic bug in the Linux XFRM ESP-in-TCP subsystem affecting kernels prior to May 13, 2026.
First reported: 14.05.2026 10:341 source, 1 articleShow sources
- New Fragnesia Linux flaw lets attackers gain root privileges — www.bleepingcomputer.com — 14.05.2026 10:34
-
The flaw enables arbitrary byte writes into the kernel page cache of read-only files, allowing unprivileged local attackers to corrupt memory of protected system files such as /usr/bin/su to gain root privileges.
First reported: 14.05.2026 10:341 source, 1 articleShow sources
- New Fragnesia Linux flaw lets attackers gain root privileges — www.bleepingcomputer.com — 14.05.2026 10:34
-
A public proof-of-concept exploit demonstrates memory corruption leading to a root shell by targeting the page cache of read-only binaries.
First reported: 14.05.2026 10:341 source, 1 articleShow sources
- New Fragnesia Linux flaw lets attackers gain root privileges — www.bleepingcomputer.com — 14.05.2026 10:34
-
Fragnasia is a separate vulnerability from Dirty Frag but belongs to the same class and shares mitigation strategies. Dirty Frag (CVE-2026-43284 and CVE-2026-43500) chains two kernel flaws to achieve privilege escalation via page cache modification.
First reported: 14.05.2026 10:341 source, 1 articleShow sources
- New Fragnesia Linux flaw lets attackers gain root privileges — www.bleepingcomputer.com — 14.05.2026 10:34
-
Mitigations include immediate kernel patching; in absence of updates, vulnerable kernel modules can be disabled via a provided modprobe configuration, though this breaks AFS distributed file systems and IPsec VPNs.
First reported: 14.05.2026 10:341 source, 1 articleShow sources
- New Fragnesia Linux flaw lets attackers gain root privileges — www.bleepingcomputer.com — 14.05.2026 10:34
-
CISA added the Copy Fail privilege escalation flaw to its Known Exploited Vulnerabilities Catalog on May 1, 2026, with a federal mitigation deadline of May 15, 2026.
First reported: 14.05.2026 10:341 source, 1 articleShow sources
- New Fragnesia Linux flaw lets attackers gain root privileges — www.bleepingcomputer.com — 14.05.2026 10:34