"The vulnerability allows unprivileged local attackers to modify read-only file contents in the kernel page cache and achieve root privileges through a deterministic page-cache corruption primitive," Google-owned Wiz said."
""This is a separate bug in the ESP/XFRM from Dirty Frag which has received its own patch," V12 said. "However, it is in the same surface and the mitigation is the same as for Dirty Frag. It abuses a logic bug in the Linux XFRM ESP-in-TCP subsystem to achieve arbitrary byte writes into the kernel page cache of read-only files, without requiring any race condition.""
"Fragnesia is similar to Copy Fail and Dirty Frag (aka Copy Fail 2) in that it immediately yields root on all major distributions by achieving a memory write primitive in the kernel and corrupting the page cache memory of the /usr/bin/su binary. A proof-of-concept (PoC) exploit has been released by V12."
""Customers who have already applied the Dirty Frag mitigation need no further action until patched kernels are released," CloudLinux maintainers said. Red Hat said it's performing an assessment to confirm if existing mitigations extend to CVE-2026-46300. Wiz also noted that AppArmor restrictions on unprivileged user namespaces may serve as a partial mitigation, requiring additional bypasses for successful exploitation."
Fragnesia is a Linux kernel local privilege escalation vulnerability tracked as CVE-2026-46300 with a CVSS score of 7.8. It targets the XFRM ESP-in-TCP subsystem and allows unprivileged local attackers to modify read-only file contents in the kernel page cache. The flaw provides a deterministic page-cache corruption primitive that enables root privileges without requiring a race condition. The exploit corrupts the page cache memory of /usr/bin/su to achieve root access across major distributions. Multiple distribution advisories note it is a separate bug from Dirty Frag but shares the same mitigation approach. A proof-of-concept exploit has been released. Existing Dirty Frag mitigations may cover it until patched kernels are available, while AppArmor restrictions on unprivileged user namespaces may offer partial mitigation.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]