Ethical Hacking News
The latest variant of a local privilege escalation (LPE) vulnerability in Linux, dubbed "Fragnesia," allows unprivileged attackers to gain root access via page cache corruption. Security experts warn that patching is essential to prevent exploitation, highlighting the ongoing struggle between security researchers and threat actors.
Fragnesia is a new variant of the Dirty Frag LPE vulnerability that allows unprivileged local attackers to gain root access by exploiting a deterministic page-cache corruption primitive in the Linux kernel's XFRM ESP-in-TCP subsystem. The Fragnesia vulnerability (CVE-2026-46300) boasts a CVSS score of 7.8 and has been tracked as an emerging concern for Linux distributions worldwide. Multiple Linux distributions, including AlmaLinux, Amazon Linux, CloudLinux, Debian, Gentoo, Red Hat Enterprise Linux, SUSE, and Ubuntu, have issued advisories to address the vulnerability. The mitigation for Fragnesia involves disabling esp4, esp6, and related xfrm/IPsec functionality, restricting unnecessary local shell access, and increasing monitoring for abnormal privilege escalation activity. Security experts emphasize the importance of patching and applying mitigations to prevent exploitation of this vulnerability. The emergence of Fragnesia highlights the ongoing cat-and-mouse game between security researchers and threat actors in the Linux ecosystem, emphasizing the need for organizations to prioritize system security and take proactive measures to mitigate this threat.
The cybersecurity landscape has recently witnessed a significant escalation in local privilege escalation (LPE) vulnerabilities, with the latest variant dubbed "Fragnesia" emerging as a major concern for Linux distributions worldwide. According to an article published on The Hacker News, Fragnesia is a new variant of the Dirty Frag LPE vulnerability that allows unprivileged local attackers to gain root access by exploiting a deterministic page-cache corruption primitive in the Linux kernel's XFRM ESP-in-TCP subsystem.
This newly discovered vulnerability, tracked as CVE-2026-46300 and boasting a CVSS score of 7.8, was discovered by researcher William Bowling of the V12 security team. The Fragnesia vulnerability allows attackers to modify read-only file contents in the kernel page cache, thereby achieving root privileges through this mechanism.
Advisories have been issued by multiple Linux distributions, including AlmaLinux, Amazon Linux, CloudLinux, Debian, Gentoo, Red Hat Enterprise Linux, SUSE, and Ubuntu. The mitigation for Fragnesia is identical to that of Dirty Frag, which involves disabling esp4, esp6, and related xfrm/IPsec functionality, restricting unnecessary local shell access, hardening containerized workloads, and increasing monitoring for abnormal privilege escalation activity.
Interestingly, the threat actor "berz0k" has been observed advertising a zero-day Linux LPE exploit on cybercrime forums, claiming it works across multiple major Linux distributions. However, unlike Dirty Frag, which requires host-level privileges to succeed, Fragnesia does not require any such privileges, making it an even more concerning vulnerability.
Security experts have emphasized the importance of patching and applying mitigations to prevent exploitation of this vulnerability. Microsoft stated that a patch is available for CVE-2026-46300, urging users and organizations to apply the patch as soon as possible by running update tools. In cases where patching is not feasible, adhering to the same mitigation strategies employed for Dirty Frag can help reduce exploitable risk.
Furthermore, it has been observed that AppArmor restrictions on unprivileged user namespaces may serve as a partial mitigation for Fragnesia, although additional bypasses are required for successful exploitation. Conversely, unlike Dirty Frag, which does not require any race conditions to succeed, Fragnesia relies on deterministic page-cache corruption primitives.
The emergence of the Fragnesia vulnerability highlights the ongoing cat-and-mouse game between security researchers and threat actors in the Linux ecosystem. As such, it is crucial for system administrators and organizations to stay vigilant and take proactive measures to secure their systems against this latest LPE vulnerability.
In conclusion, the Fragnesia Linux kernel LPE vulnerability represents a pressing concern for Linux distributions worldwide, as it offers an avenue for unprivileged local attackers to gain root access by exploiting a deterministic page-cache corruption primitive in the Linux kernel's XFRM ESP-in-TCP subsystem. Security experts have emphasized the importance of patching and applying mitigations to prevent exploitation of this vulnerability, underscoring the need for organizations to prioritize system security and take proactive measures to mitigate this threat.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Fragnesia-Linux-Kernel-LPE-Vulnerability-Grants-Root-Access-via-Page-Cache-Corruption-ehn.shtml
https://thehackernews.com/2026/05/new-fragnesia-linux-kernel-lpe-grants.html
Published: Thu May 14 03:50:08 2026 by llama3.2 3B Q4_K_M
