Linux Fragnesia Flaw Gives Any Local User Root Access Without Racing

A new Linux kernel privilege escalation vulnerability allows any unprivileged local user to gain root access without exploiting race conditions. Dubbed Fragnesia and tracked as CVE-2026-46300, the flaw resides in the kernel's XFRM ESP-in-TCP subsystem and affects all major Linux distributions.

William Bowling, head of assurance at Zellic, discovered the vulnerability. A proof-of-concept exploit is available, and Linux vendors began releasing patched kernels on May 13, 2026.

How Fragnesia Works

The vulnerability exploits a logic bug in the XFRM ESP-in-TCP subsystem to achieve arbitrary byte writes into the kernel page cache of read-only files. Unlike many kernel exploits that depend on winning narrow timing windows, Fragnesia requires no race condition—the memory primitive is deterministic.

The public PoC demonstrates the attack by corrupting the page cache of /usr/bin/su. When executed afterward, the modified binary grants root-level shell access. The on-disk file remains unchanged, and a reboot or cache flush restores normal behavior—making forensic detection more difficult.

This belongs to the Dirty Frag vulnerability class we covered last week. Fragnesia is a distinct bug from the original Dirty Frag issues (CVE-2026-43284 and CVE-2026-43500), though it exploits the same kernel subsystem.

Impact Assessment

CVSS Score: 7.8 (High)

The attack requires local access—remote exploitation isn't possible without first compromising the system through another vector. But once an attacker has any foothold (a web shell, compromised user account, or container escape), Fragnesia provides a clean path to full root control.

Multi-tenant environments face the highest risk. Cloud providers, shared hosting platforms, and any system where untrusted users have shell access should prioritize patching.

Affected Systems

CVE-2026-46300 impacts Linux kernels released before May 13, 2026. This includes:

• Ubuntu (all supported versions)
• Debian
• Red Hat Enterprise Linux and CentOS
• AlmaLinux
• Rocky Linux
• Fedora
• openSUSE
• Arch Linux

Containerized workloads running on vulnerable host kernels are also exposed—the vulnerability operates at the kernel level, not within container isolation.

Immediate Mitigation

For systems that can't immediately apply kernel updates, blacklisting the affected modules eliminates the vulnerable code path:

rmmod esp4 esp6 rxrpc
printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf

Warning: This mitigation disables kernel modules required for IPsec VPNs and AFS network filesystems. Organizations relying on these features must coordinate with network teams before applying.

Patching Status

Major distributions have released or are actively rolling out patched kernels:

• Ubuntu: Updates available via apt update && apt upgrade
• RHEL/CentOS: Check yum update kernel for availability
• Debian: Tracking in security advisories

The existing patches for the original Dirty Frag vulnerabilities do not address Fragnesia. Organizations that patched last week still need this update.

Detection Guidance

Monitoring for Fragnesia exploitation is challenging because the attack modifies page cache rather than disk contents. Consider:

• Alerting on unexpected module loads (esp4, esp6, rxrpc)
• Monitoring for privilege escalation patterns via audit logs
• Tracking unusual su or sudo invocations following low-privilege sessions
• File integrity monitoring won't catch this—the disk remains unchanged

Why This Matters

Kernel privilege escalation bugs are the great equalizer. Any initial access—phishing, web vulnerabilities, misconfigurations—becomes a path to complete system compromise. The deterministic nature of Fragnesia makes it particularly dangerous; attackers don't need to retry or time their exploitation carefully.

May 2026 continues to deliver critical infrastructure vulnerabilities. Between this, the Cisco SD-WAN authentication bypass added to CISA's KEV this week, and Microsoft's 120-vulnerability Patch Tuesday, security teams have limited bandwidth to address everything. Prioritize based on exposure: internet-facing systems first, then internal infrastructure with multi-tenant access.