Known as Fragnasia and tracked as CVE-2026-46300, a newly disclosed high-severity Linux kernel vulnerability allows unprivileged local attackers to write arbitrary bytes into the kernel page cache of read-only files and gain root privileges, researchers say.
How Fragnesia (CVE-2026-46300) operates
Fragnesia stems from a logic bug in the Linux XFRM ESP-in-TCP subsystem. According to the disclosure, the flaw enables an unprivileged local attacker to perform arbitrary byte writes to the kernel page cache of read-only files — and does so "without requiring any race condition." The vulnerability affects all Linux kernels released before May 13, 2026, and has prompted distributions to roll out patches.
William Bowling and the publicly shared proof-of-concept
The vulnerability was discovered by William Bowling, head of assurance at Zellic, who published a proof-of-concept (PoC) exploit. Bowling's PoC achieves a kernel memory-write primitive that corrupts the page cache of the /usr/bin/su binary; the exploit then uses that corruption to obtain a shell with root privileges on vulnerable systems. Bowling's disclosure makes the exploit technique available to anyone able to run local code on an affected host.
Relation to Dirty Frag and the other CVEs involved
Bowling described Fragnesia as part of the Dirty Frag vulnerability class but noted it is a distinct bug. "Fragnesia is a member of the Dirty Frag vulnerability class. This is a separate bug in the ESP/XFRM from dirtyfrag which has received its own patch. However, it is in the same surface and the mitigation is the same as for dirtyfrag," he said.
Dirty Frag itself—disclosed the prior week—has a public PoC and achieves privilege escalation by chaining two separate page-cache write flaws: the xfrm-ESP Page-Cache Write vulnerability (CVE-2026-43284) and a RxRPC Page-Cache Write issue (CVE-2026-43500). Dirty Frag's approach modifies protected system files in memory to escalate privileges; Fragnesia uses a different logic bug in the same general subsystem to achieve a similar outcome.
Mitigations: patches first, module removal as a stopgap
Linux distributions are issuing kernel updates and users are advised to apply those patches "as soon as possible." For environments that cannot patch immediately, the published mitigation for Dirty Frag is applicable to Fragnesia: remove the vulnerable kernel modules and prevent them from reloading. The source provides the commands:
- rmmod esp4 esp6 rxrpc
- printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf
The advisory specifically warns that removing these modules "will break AFS distributed network file systems and IPsec VPNs." Administrators must weigh the operational impact of that mitigation against exposure to an exploit, particularly where local unprivileged users have shell access.
What this means for Linux security teams, federal agencies, and end users
- Linux security teams: prioritize kernel updates where available and, if unable to patch immediately, apply the module-removal mitigation while planning for the operational consequences on AFS and IPsec VPN services.
- Federal agencies: this disclosure arrives against the backdrop of a recent CISA action on related Linux escalation flaws. CISA added the Copy Fail vulnerability to its catalog of exploited flaws on May 1 and ordered federal agencies to secure their Linux systems within two weeks, by May 15. The agency warned that "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," and advised agencies to apply vendor mitigations, follow applicable guidance, or discontinue use if mitigations are unavailable.
- End users and operators: the rapid succession of public PoCs — Fragnesia, Dirty Frag, Copy Fail and a recently patched PackageKit bug (Pack2TheRoot) disclosed in April — underscores that public exploit code can quickly increase exposure; applying vendor updates remains the central defense.
Fragnesia adds another publicly demonstrable route to root on unpatched Linux systems. With an authored PoC available and distributions issuing fixes, the immediate question is operational: will patch deployment outpace exploitation on systems where local code execution is possible? Administrators who cannot instantly update must choose between disrupting AFS and IPsec services or accepting the elevated risk until patches are applied.
Original reporting: https://www.bleepingcomputer.com/news/security/new-fragnesia-linux-flaw-lets-attackers-gain-root-privileges/
