New Fragnesia Linux Kernel Flaw Grants Root via Page Cache Corruption

Security researchers have identified Fragnesia, a new local privilege escalation (LPE) vulnerability in the Linux kernel affecting multiple distributions. Tracked as CVE-2026-46300 with a CVSS score of 7.8, this flaw allows unprivileged local attackers to corrupt the kernel page cache and escalate to root access. Discovered by William Bowling of the V12 security team, the vulnerability resides in the XFRM ESP-in-TCP subsystem and represents the third such bug discovered within two weeks, following Dirty Frag (CVE-2024-1085) and Copy Fail. Unlike its predecessors, Fragnesia requires no host-level privileges and exploits a logic bug enabling arbitrary byte writes into the kernel page cache of read-only files without requiring any race condition.

The attack works by leveraging a deterministic page-cache corruption primitive to modify critical system binaries like /usr/bin/su, immediately yielding root privileges across major distributions including AlmaLinux, Amazon Linux, Debian, Red Hat Enterprise Linux, SUSE, and Ubuntu. This technique mirrors the approach used by Dirty Frag and Copy Fail, all achieving memory write primitives through the Linux XFRM ESP-in-TCP surface. V12 Security has released a proof-of-concept exploit demonstrating the vulnerability. Organizations should verify their systems aren't exposing unnecessary services using tools like our port scanner to identify potential attack vectors.

Patches are available, and organizations who have already applied Dirty Frag mitigations require no additional action until patched kernels are released. Red Hat is conducting assessments to confirm existing mitigations extend to CVE-2026-46300. As temporary measures, administrators can disable esp4, esp6, and related XFRM/IPsec functionality, restrict local shell access, and increase monitoring for abnormal privilege escalation activity. Wiz notes that AppArmor restrictions on unprivileged user namespaces may provide partial mitigation. Given active exploitation in underground markets—where threat actor "berz0k" was observed advertising a Linux LPE zero-day for $170,000—organizations should prioritize patching immediately. Users concerned about credential exposure from potential compromises can use our password checker to ensure strong authentication practices.