CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Fragnesia Linux Kernel LPE via XFRM ESP-in-TCP Page Cache Corruption

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A new Linux kernel local privilege escalation (LPE) vulnerability, codenamed Fragnesia and tracked as CVE-2026-46300 (CVSS 7.8), enables unprivileged local attackers to gain root access by corrupting the kernel page cache. The flaw resides in the XFRM ESP-in-TCP subsystem and allows arbitrary byte writes into the read-only page cache of files such as /usr/bin/su without requiring race conditions or host-level privileges. A proof-of-concept exploit has been publicly released, and patches are available across major Linux distributions including AlmaLinux, Debian, Red Hat Enterprise Linux, SUSE, and Ubuntu. Mitigation strategies include disabling esp4, esp6, and related xfrm/IPsec functionality, restricting local shell access, and hardening containerized environments.

Timeline

  1. 14.05.2026 10:06 1 articles · 2h ago

    Fragnesia Linux Kernel LPE (CVE-2026-46300) Disclosed with Public PoC and Mitigations

    A new Linux kernel LPE vulnerability, Fragnesia (CVE-2026-46300, CVSS 7.8), was disclosed, enabling unprivileged local attackers to gain root access via page cache corruption in the XFRM ESP-in-TCP subsystem. A proof-of-concept exploit was released, demonstrating immediate root access on all major Linux distributions by corrupting the page cache memory of read-only files such as /usr/bin/su. Patches and advisories have been issued by multiple Linux distributions, with CloudLinux noting that existing Dirty Frag mitigations may suffice until patched kernels are available. AppArmor provides only a partial mitigation, and disabling esp4, esp6, and related xfrm/IPsec functionality is recommended as a defensive measure.

    Show sources
    Open in new tab

Information Snippets

  • CVE-2026-46300 (Fragnesia) is a Linux kernel LPE vulnerability in the XFRM ESP-in-TCP subsystem, enabling unprivileged local attackers to corrupt the kernel page cache and achieve root access.

    First reported: 14.05.2026 10:06
    1 source, 1 article
    Show sources

  • The vulnerability leverages a logic bug to perform arbitrary byte writes into the page cache of read-only files, such as /usr/bin/su, without requiring race conditions or elevated host privileges.

    First reported: 14.05.2026 10:06
    1 source, 1 article
    Show sources

  • A proof-of-concept exploit has been released by V12 security, demonstrating immediate root access on all major Linux distributions by corrupting the page cache memory.

    First reported: 14.05.2026 10:06
    1 source, 1 article
    Show sources

  • Patches and advisories have been issued by multiple Linux distributions, including AlmaLinux, Debian, Red Hat Enterprise Linux, SUSE, and Ubuntu, with CloudLinux noting that existing Dirty Frag mitigations may cover Fragnesia until patched kernels are available.

    First reported: 14.05.2026 10:06
    1 source, 1 article
    Show sources

  • AppArmor restrictions on unprivileged user namespaces provide only a partial mitigation, requiring additional bypasses for exploitation. Disabling esp4, esp6, and related xfrm/IPsec functionality is recommended as a mitigation strategy.

    First reported: 14.05.2026 10:06
    1 source, 1 article
    Show sources

  • No in-the-wild exploitation of Fragnesia has been observed to date, but the availability of a public PoC and the historical exploitation of similar vulnerabilities (Dirty Frag, Copy Fail) heighten the urgency for patching.

    First reported: 14.05.2026 10:06
    1 source, 1 article
    Show sources

  • A threat actor named "berz0k" is advertising a separate Linux LPE zero-day on cybercrime forums for $170,000, claiming it is TOCTOU-based, stable across major distributions, and uses a shared object payload dropped into /tmp.

    First reported: 14.05.2026 10:06
    1 source, 1 article
    Show sources