Researchers have found and disclosed yet another local privilege escalation (LPE) vulnerability in the Linux kernel: CVE-2026-46300, aka “Fragnesia”.
The flaw is in the same class of vulnerabilities as the recently disclosed Dirty Frag bug(s).
Like Dirty Frag, it affects the same Linux module (xfrm-ESP). In fact, according to Dirty Frag discoverer Hyunwoo Kim, Fragnesia was “accidentally activated” by the patch fixing one of the original Dirty Frag vulnerabilities (i.e., CVE-2026-43284).
CVE-2026-46300 explained
Fragnesia was discovered by William Bowling of Zellic.io, with the help of the company’s AI-agentic software auditing tool.
The research team published a short technical explainer and proof-of-concept exploit code.
As Wiz researchers helpfully explained, Fragnesia allows unprivileged local attackers to modify read-only file contents in the kernel page cache, and “through a deterministic page-cache corruption primitive,” achieve root privileges.
Patches and mitigations for Fragnesia
Like Copy Fail and Dirty Frag before it, Fragnesia is less of a risk for single-user workstations and single-tenant servers than for shared Linux hosts (where multiple users share a kernel), container clusters (where the page cache is shared across the host), CI runners and build farms, and cloud SaaS solutions running user code.
Linux admins should apply vendor kernel patches when they become available. In the meantime, they should disable/denylist or unload the vulnerable modules (for both Fragnesia and DirtyFrag: esp4, esp6, rxrpc) to mitigate the risk of exploitation.
Some Linux distributions have already relased kernel patches, namely AlmaLinux and CloudLinux.
“The exploit can modify legitimate system binaries (the public PoC overwrites /usr/bin/su) in the page cache as part of gaining root, so applying the mitigation alone is not enough on systems that may have been targeted before the mitigation was in place,” the CloudLinux team explained.
“After mitigating, drop the page cache to force a reload from disk [by running the following command: sudo sh -c “echo 3 > /proc/sys/vm/drop_caches”].”
Microsoft’s threat analysts also pointed out that exploitation is “not constrained to use the [/usr/bin/su] binary,” and that attackers “can modify any file readable by the user, including [/etc/passwd].”
They also added that there is currently no evidence pointing to in-the-wild exploitation of Fragnesia.
Copy Fail, on the other hand, has been added to CISA’s Known Exploited Vulnerabilities catalog earlier this month.
Kernel patches for Copy Fail are now widely available, but for a temporary mitigation admins can denylist or unload the algif_aead module.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
