Vulnerability Management, Patch/Configuration Management

New Linux privilege escalation flaw ‘Fragnesia’ disclosed; PoC available

Linux kernel maintainers patched a new local privilege escalation (LPE) flaw dubbed “Fragnesia” on Wednesday, with a proof-of-concept (PoC) exploit published by researchers.

Fragnesia, tracked as CVE-2026-46300, falls within the same vulnerability class as "Dirty Frag," said V12 Security researchers. Dirty Frag is a pair of LPE flaws affecting the Linux kernel, tracked as CVE-2026-43284 and CVE-2026-43500, disclosed last week.

The latest flaw was discovered by V12 team member William Bowling using the V12 AI agent. A logic bug exists in the Linux XFRM ESP-in-TCP subsystem that could allow a low-privileged local attacker to write arbitrary bytes to the kernel page cache of read-only files and ultimately achieve root privileges.

The PoC published by V12 Security exploits the flaw to overwrite the first 192 bytes of /usr/bin/su with an ELF stub that enables them to obtain a root shell upon executing su. This is due to the Linux kernel processing cached file pages as ESP ciphertext under certain conditions, causing AES-GCM keystream bytes to be XORed directly to the cached file, the researchers explained.

The vulnerability can be used to write bytes one at a time, and the attacker can select which bytes to write by matching a specific initialization vector (IV) nonce to its corresponding keystream byte. The attack only modifies the cached version of the targeted file, leaving the on-disk binary unaltered, the researchers said.

All Linux kernel versions before May 13, 2026, are affected by CVE-2026-46300. For systems that cannot be patched immediately, Fragnesia can be mitigated using the same method as Dirty Frag, which temporarily removes the affected modules esp4, esp6 and rxrpc.

The disclosure of Fragenesia, which comes about a week after Dirty Frag’s discovery, also comes about two weeks after the disclosure of a Linux kernel LPE flaw called "Copy Fail," tracked as CVE-2026-31431. All three exploits involve arbitrary writes to page-cache data in order to gain root privileges. Copy Fail was added to CISA’s Known Exploited Vulnerabilities catalog on May 1, with a remediation deadline of May 15.

“We’re seeing a recurring pattern — from Dirty Frag to Copy Fail and now Fragnesia — where attackers are leveraging highly reliable arbitrary kernel write primitives to bypass traditional hardening. When a PoC can consistently overwrite /etc/passwd or hijack su logic, the exploit isn’t just a technical curiosity — it’s a turnkey solution for full system compromise,” Joe Brinkley, head of offensive security research at Cobalt, told SC Media in an email.

Late last month, another LPE flaw affecting Linux systems, dubbed “Pack2TheRoot” and tracked as CVE-2026-41651, was also disclosed. However, Pack2TheRoot involves a different mechanism — a time-of-check time-of-use (TOCTOU) race condition that allows unprivileged users to install packages as root — and affects the PackageKit service rather than the Linux kernel.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

BugBuffer OverflowDisassembly

You can skip this ad in 5 seconds