Fragnesia Linux Kernel Vulnerability Exposes Systems to Root Privilege Escalation Risks
Security researchers have identified a significant local privilege escalation vulnerability in the Linux Kernel, referred to as “Fragnesia.” This vulnerability, tracked as CVE-2026-46300, is part of the broader Dirty Frag family of flaws. It specifically impacts the XFRM ESP-in-TCP subsystem, enabling unprivileged local attackers to escalate their privileges to root by corrupting page-cache memory.
The emergence of Fragnesia underscores a critical issue in cybersecurity: fixes for previous vulnerabilities can inadvertently create new attack vectors. Hyunwoo Kim, a researcher who previously identified the Dirty Frag vulnerabilities, noted that Fragnesia arose as an unintended consequence of patches aimed at mitigating those original flaws.
Scope of the Vulnerability
The Fragnesia vulnerability affects a wide array of Linux distributions, many of which have already begun to implement security updates. Although a proof-of-concept exploit for Fragnesia is publicly available, researchers have indicated that there is currently no confirmed evidence of active exploitation in real-world attacks.
Mechanism of the Attack
Fragnesia exploits a logical flaw within the Linux Kernel’s XFRM ESP-in-TCP implementation. The vulnerability arises from improper handling of shared page fragments during socket buffer (skb) coalescing operations. Attackers can exploit a condition where file-backed pages are inserted into a TCP receive queue before the socket transitions into ESP-in-TCP ultra-light protocol (ULP) mode. Once ESP processing is activated, the kernel decrypts queued data in-place, leading to controlled corruption within the underlying page cache through manipulation of the AES-GCM keystream.
The exploit leverages user and network namespaces to gain CAP_NET_ADMIN privileges within an isolated namespace. Attackers can then create a specially crafted ESP security association using NETLINK_XFRM, enabling them to repeatedly trigger controlled single-byte writes into cached file pages.
Researchers demonstrated the exploit by overwriting the initial bytes of /usr/bin/su with a compact ELF payload. This payload executes setresuid(0,0,0) before launching /bin/sh, providing attackers with a root shell. Importantly, the modified data exists only within page-cache memory and does not permanently alter the binary stored on disk. However, any file readable by the user, including sensitive files like /etc/passwd, could potentially be modified.
Relationship to Other Vulnerabilities
Fragnesia shares several characteristics with Dirty Frag and other recently disclosed Linux Kernel privilege escalation flaws, including Copy Fail. All these vulnerabilities rely on corruption primitives that enable attackers to tamper with protected memory structures. Microsoft’s threat intelligence team has highlighted the similarities between Fragnesia and Dirty Frag in its analysis of the vulnerability.
According to Microsoft, “Similar to Dirty Frag, Fragnesia exploits a vulnerability in the XFRM ESP-in-TCP subsystem to achieve a memory write primitive in the kernel.” The company further elaborated that the primitive is used to corrupt the page cache memory of the /usr/bin/su binary, leading to the launch of a shell with root privileges.
Microsoft also noted that Copy Fail has already been exploited in the wild. Following the disclosure of Dirty Frag, telemetry from its Defender platform indicated limited activity that could suggest attempted exploitation involving either Dirty Frag or Copy Fail. However, at the time of publication, there were no additional public reports confirming exploitation of either Dirty Frag or Fragnesia in active campaigns.
Importance of the XFRM ESP-in-TCP Subsystem
The XFRM ESP-in-TCP subsystem is crucial for enabling Encapsulating Security Payload (ESP) traffic over TCP connections within the Linux Kernel. Given its use in certain VPN and encrypted networking scenarios, vulnerabilities affecting this component can expose critical systems to local privilege escalation attacks.
Fragnesia illustrates how flaws in low-level networking components can lead to deterministic page-cache corruption, granting attackers powerful primitives capable of bypassing standard file protections. Unlike some earlier Linux Kernel privilege escalation flaws, Fragnesia does not require host-level privileges before exploitation, significantly lowering the barrier for local attackers operating within constrained environments.
Researchers have pointed out that AppArmor restrictions on unprivileged user namespaces, which are enabled by default on Ubuntu systems, may offer partial mitigation. However, additional bypasses could still allow successful exploitation under certain conditions.
Mitigation Strategies and Recommendations
Security experts strongly recommend that organizations apply vendor-provided Linux Kernel patches addressing Fragnesia and the underlying XFRM ESP-in-TCP vulnerability as soon as updates become available. Until patches are fully deployed, administrators are advised to disable vulnerable modules associated with both Fragnesia and Dirty Frag if they are not required. Recommended commands include:
bash
rmmod esp4 esp6 rxrpc
Administrators can also prevent the modules from loading by creating the following configuration:
bash
printf ‘install esp4 /bin/falseninstall esp6 /bin/falseninstall rxrpc /bin/falsen’ > /etc/modprobe.d/fragnesia.conf
Additionally, researchers recommend restricting or disabling unprivileged user namespaces wherever operationally feasible. Monitoring systems for suspicious namespace creation, abnormal AF_ALG usage, or unauthorized XFRM manipulation may also help detect exploitation attempts.
If a compromise is suspected, administrators should reboot affected systems or clear page-cache contents to remove modified in-memory binaries:
bash
echo 1 | tee /proc/sys/vm/drop_caches
As Linux Kernel developers continue to address Dirty Frag-related vulnerabilities, Fragnesia serves as a reminder of how security patches can inadvertently introduce new weaknesses into complex subsystems such as XFRM ESP-in-TCP.
For further details, refer to the original reporting source: thecyberexpress.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
