A new critical Linux kernel vulnerability (CVE-2026-46300) allows local attackers to gain root privileges through page cache corruption, marking the third such kernel flaw discovered in two weeks.
Security researchers have identified a new critical Linux kernel vulnerability that allows local attackers to gain root privileges through page cache corruption. Codenamed 'Fragnesia,' this security flaw (CVE-2026-46300) carries a CVSS score of 7.8 and represents the third significant kernel privilege escalation vulnerability discovered within just two weeks.
Technical Details of the Vulnerability
Fragnesia is rooted in the Linux kernel's XFRM ESP-in-TCP subsystem and was discovered by researcher William Bowling of the V12 security team. According to Google-owned Wiz security researchers, the vulnerability allows unprivileged local attackers to modify read-only file contents in the kernel page cache and achieve root privileges through a deterministic page-cache corruption primitive.
"This is a separate bug in the ESP/XFRM from Dirty Frag which has received its own patch," V12 explained in their advisory. "However, it is in the same surface and the mitigation is the same as for Dirty Frag. It abuses a logic bug in the Linux XFRM ESP-in-TCP subsystem to achieve arbitrary byte writes into the kernel page cache of read-only files, without requiring any race condition."
The vulnerability works by exploiting a logic flaw in the XFRM ESP-in-TCP implementation, which processes IPsec ESP packets encapsulated in TCP. This allows attackers to manipulate how the kernel handles memory pages, ultimately leading to corruption that can be leveraged to elevate privileges.
Exploitation and Impact
Fragnesia shares similarities with the previously discovered Copy Fail and Dirty Frag vulnerabilities. Like those flaws, Fragnesia immediately yields root access on all major Linux distributions by achieving a memory write primitive in the kernel and corrupting the page cache memory of critical binaries like /usr/bin/su.
V12 has already released a proof-of-concept (PoC) exploit for Fragnesia, demonstrating its real-world viability. The vulnerability is particularly concerning because, unlike Dirty Frag, it does not require any host-level privileges to exploit, making it accessible to any local user on an affected system.
"A patch is available, and while no in-the-wild exploitation has been observed at this time, we urge users and organizations to apply the patch as soon as possible by running update tools," Microsoft stated in their advisory. "If patching is not possible at this point, consider applying the same mitigations for Dirty Frag."
Mitigation Strategies
Multiple Linux distributions have released advisories addressing Fragnesia, including AlmaLinux, Amazon Linux, CloudLinux, Debian, Gentoo, Red Hat Enterprise Linux, SUSE, and Ubuntu. Customers who have already applied the Dirty Frag mitigation need no further action until patched kernels are released.
Red Hat is currently performing an assessment to confirm if existing mitigations extend to CVE-2026-46300. In the meantime, Wiz noted that AppArmor restrictions on unprivileged user namespaces may serve as a partial mitigation, though additional bypass techniques would be needed for complete exploitation.
For organizations unable to immediately patch, the following temporary mitigations are recommended:
- Disable esp4, esp6, and related xfrm/IPsec functionality
- Restrict unnecessary local shell access
- Harden containerized workloads
- Increase monitoring for abnormal privilege escalation activity
Market Context and Exploit Availability
The emergence of Fragnesia comes amid heightened concerns about Linux kernel security. Threat intelligence indicates that a threat actor named "berz0k" has been observed advertising on cybercrime forums a zero-day Linux LPE exploit for $170,000. According to ThreatMon, this threat actor claims the vulnerability is TOCTOU-based (Time-of-Check Time-of-Use), capable of stable local privilege escalation without causing system crashes, and leverages a shared object (.so) payload dropped into the /tmp directory.
The consecutive discovery of critical kernel vulnerabilities highlights the ongoing challenges in securing complex operating system components. Kernel-level exploits remain particularly valuable to attackers because they provide the highest level of system access and are often difficult to detect and remediate.
System administrators should prioritize patching these kernel vulnerabilities promptly, as they represent significant risks to system integrity and security. The rapid succession of similar flaws suggests that attackers may be actively probing for additional vulnerabilities in the same subsystems.
For the latest information on patches and mitigations, administrators should monitor their Linux distribution's security advisories and consider implementing additional security controls like SELinux or AppArmor to limit potential damage in case of exploitation.
Comments
Please log in or register to join the discussion