Fragnesia Linux bug lets local users gain root

A newly disclosed Linux kernel vulnerability tracked as CVE-2026-46300 and nicknamed Fragnesia enables unprivileged local attackers to corrupt the kernel page cache through the XFRM ESP-in-TCP subsystem and gain root access. The bug carries a CVSS score of 7.8 and was discovered by William Bowling of the V12 security team.

The flaw permits deterministic writes into the kernel page cache for read-only files, allowing attackers to alter key binaries such as /usr/bin/su and obtain immediate elevation to root on affected systems. V12 published a proof-of-concept exploit and technical details showing that the ESP-in-TCP handling contains a logic error allowing arbitrary byte writes into the page cache without relying on a race condition.

V12 clarified the issue is in the same code surface as recent vulnerabilities known as Dirty Frag and Copy Fail but is a distinct bug with its own patch. V12 wrote: “This is a separate bug in the ESP/XFRM from Dirty Frag which has received its own patch. However, it is in the same surface and the mitigation is the same as for Dirty Frag. It abuses a logic bug in the Linux XFRM ESP-in-TCP subsystem to achieve arbitrary byte writes into the kernel page cache of read-only files, without requiring any race condition.”

Multiple Linux distributors have released advisories, patches or guidance, including AlmaLinux, Amazon Linux, CloudLinux, Debian, Gentoo, Red Hat Enterprise Linux, SUSE and Ubuntu. CloudLinux maintainers noted that customers who already applied the Dirty Frag mitigations do not need additional steps until patched kernels are available. Red Hat is assessing whether existing mitigations cover this vulnerability.

Vendors and security teams published temporary mitigation steps for systems that cannot be patched immediately. Recommended actions include disabling esp4, esp6 and related XFRM/IPsec functionality where feasible, restricting unnecessary local shell access, hardening containerized workloads and increasing monitoring for abnormal privilege escalation activity. Security firm Wiz pointed out that AppArmor restrictions on unprivileged user namespaces may make exploitation harder but do not fully prevent it.

Microsoft released a patch and urged rapid updates, adding guidance on temporary mitigations where patching is not yet possible.

Microsoft advised:

A patch is available, and while no in-the-wild exploitation has been observed at this time, we urge users and organizations to apply the patch as soon as possible by running update tools. If patching is not possible at this point, consider applying the same mitigations for Dirty Frag.

A separate development involves a threat actor using the name “berz0k” who advertised a Linux local privilege escalation exploit for $170,000 and claimed the exploit was TOCTOU-based, stable and able to deliver a shared object payload into /tmp. Threat monitoring teams have not confirmed active use of such an exploit against the Fragnesia vulnerability.

Fragnesia is the third local privilege escalation vulnerability affecting the Linux kernel identified within about two weeks, following Dirty Frag and Copy Fail. Security teams recommend applying vendor patches or implementing the listed mitigations until patched kernels are deployed.