A new local privilege escalation (LPE) vulnerability in the Linux kernel has been publicly disclosed, tracked as CVE-2026-46300 and dubbed "Fragnesia." This flaw belongs to the same class of vulnerabilities as the recently reported Dirty Frag bugs, specifically affecting the same Linux networking module, xfrm-ESP. According to researchers, Fragnesia was inadvertently introduced by a patch that was intended to fix one of the original Dirty Frag vulnerabilities (CVE-2026-43284). The discovery highlights the persistent challenges in securing complex kernel subsystems and the unintended consequences of security patches.

Background: The Dirty Frag and Copy Fail Family

The Linux kernel has been battling a series of vulnerabilities related to the xfrm (IPsec) framework, particularly the ESP (Encapsulating Security Payload) module. Earlier in 2026, researchers disclosed Dirty Frag, a set of bugs allowing unprivileged local attackers to corrupt kernel memory and escalate privileges. The initial patches for Dirty Frag sought to address the root cause but, as is often the case in kernel development, introduced new weaknesses. Fragnesia is the latest example of this phenomenon, where a fix for one bug inadvertently opened the door for another.

Another related vulnerability, Copy Fail, also targeted the kernel's cryptographic subsystems and was added to CISA's Known Exploited Vulnerabilities catalog in early May 2026. Copy Fail allowed similar page cache corruption and was actively exploited in the wild. Together, these vulnerabilities underscore the growing sophistication of attacks against shared Linux environments, such as multi-tenant cloud servers, container clusters, and CI/CD pipelines.

Technical Details of Fragnesia (CVE-2026-46300)

Fragnesia was discovered by William Bowling of Zellic, a security research firm, using an AI-driven software auditing tool. The flaw resides in the xfrm-ESP module and involves a subtle race condition or memory management issue that was introduced when the patch for Dirty Frag (CVE-2026-43284) was applied. Specifically, the new vulnerability allows an unprivileged local attacker to modify read-only file contents in the kernel's page cache. The page cache is a critical kernel structure that stores recently accessed disk pages to improve performance. Normally, read-only files have their page cache pages marked as immutable, but Fragnesia can bypass this protection.

Wiz researchers, who analyzed the proof-of-concept exploit, described the mechanism as a "deterministic page-cache corruption primitive." An attacker with low privileges (e.g., a regular user on a shared host) can overwrite the contents of any file that is mapped into memory and cached—even files marked read-only, such as system binaries (/usr/bin/su) or configuration files (/etc/passwd). By corrupting the page cache, the attacker can then execute arbitrary code with the privileges of the targeted file. For example, overwriting the su binary allows an attacker to run it as root, effectively achieving full root privileges on the system.

Impact and Attack Scenarios

Like its predecessors Dirty Frag and Copy Fail, Fragnesia poses the greatest risk to environments where multiple users or processes share a single kernel instance. Typical targets include:

• Shared Linux hosts in academic or enterprise settings where many users log in on a single machine.
• Container clusters where the page cache is shared across the host kernel. A compromised container could break out to the host or affect other containers.
• CI runners and build farms where code from untrusted contributors is executed. Attackers could use Fragnesia to escalate from a low-privilege build job to full control of the runner.
• Cloud SaaS solutions that execute user-provided code in sandboxed environments.

Single-user workstations and single-tenant servers are generally at lower risk because the attacker already has full control or would need physical access. However, any Linux system with the vulnerable module loaded could, in theory, be exploited by a local user with minimal permissions.

Microsoft's threat analysts noted that exploitation is not limited to a specific binary. Attackers can target any file readable by the user, including /etc/passwd to modify user credentials or /etc/shadow if permissions allow. The flexibility of the primitive makes it especially dangerous in environments with strict file permissions but shared kernel access.

Mitigations and Patching

Linux administrators are urged to apply vendor kernel patches as soon as they become available. Several distributions have already released updates, including AlmaLinux and CloudLinux. The official fix from the Linux kernel maintainers is expected to be incorporated into stable releases shortly.

As a temporary mitigation, administrators can disable or unload the vulnerable modules: esp4, esp6, and rxrpc. This will prevent exploitation of both Fragnesia and the original Dirty Frag bugs. However, unloading these modules may affect IPsec and other networking functionality, so testing in a non-production environment is recommended.

CloudLinux's team emphasized that simply applying the mitigation is not sufficient if the system may have been compromised before the modules were disabled. Attackers could have already corrupted the page cache. Therefore, after mitigation, administrators must drop the page cache to force a reload from disk. The command to do this is: sudo sh -c "echo 3 > /proc/sys/vm/drop_caches". This clears cached files and ensures that any malicious modifications are overwritten with the legitimate disk content.

For Copy Fail, a similar temporary mitigation exists: unloading the algif_aead module. Kernel patches for Copy Fail are now widely available, and administrators who delayed that patch should prioritize it alongside the Fragnesia fix.

Recommendations for Administrators

• Stay informed: Monitor security advisories from your Linux distribution for kernel updates containing the Fragnesia patch.
• Apply mitigations immediately: Disable the vulnerable modules (esp4, esp6, rxrpc) if they are not required for your workload. Restart services if needed.
• Clear page cache after mitigation: Run the drop_caches command to eliminate any potential backdoors left by earlier exploitation.
• Audit system binaries: Check the integrity of critical binaries like /usr/bin/su and /usr/bin/sudo for signs of tampering. Use package managers to verify checksums.
• Harden shared environments: Consider using kernel namespaces, seccomp profiles, and AppArmor/SELinux to reduce the attack surface. However, note that these do not fully protect against page cache attacks as they operate at a different level.
• Review logs for anomalies: Look for unusual processes attempting to load or unload kernel modules, or for unexpected changes to file contents while processes are running.

Related Vulnerabilities and Broader Implications

Fragnesia is part of a troubling trend of complex kernel flaws that emerge from security patches themselves. The xfrm-ESP module has historically been a source of bugs due to its intricate handling of network packets and memory. The introduction of an AI-auditing tool in the discovery of Fragnesia also signals a new era in vulnerability research, where automated agents can rapidly find subtle bugs that human reviewers might miss.

Copy Fail's inclusion in CISA's KEV catalog indicates that attackers are already weaponizing these types of bugs. While there is currently no evidence of in-the-wild exploitation of Fragnesia, the public availability of proof-of-concept code reduces the barrier for threat actors. Administrators should act proactively rather than wait for an exploit to appear.

Finally, the Fragnesia disclosure serves as a cautionary tale about the complexity of maintaining secure kernels. As the Linux codebase grows and features like IPsec evolve, the risk of regressions increases. Collaborative efforts between kernel developers, security researchers, and distribution maintainers are essential to identify and fix such vulnerabilities quickly.

Administrators are advised to regularly update their kernels and subscribe to security notification services to stay ahead of emerging threats.

Source: Help Net Security News