Fragnesia’s New Linux Kernel LPE Provides Root Access Via Page Cache Corruption
Details have emerged about a new variant of the latest Dirty Frag Linux local privilege escalation (LPE) vulnerability that allows local attackers to gain root access, making it the third such bug to be identified in the kernel within a two-week period.
Named in code Fragnesiathe security vulnerability is tracked as CVE-2026-46300 (CVSS score: 7.8) and is based on the Linux kernel’s XFRM ESP-in-TCP subsystem. It was discovered by researcher William Bowling of the V12 security team.
“The vulnerability allows unprivileged local attackers to modify the contents of a read-only file in the kernel’s page cache and gain root privileges by exploiting a classic page corruption exploit,” Google-owned Wiz said.
Advice has been issued by many Linux distributions –
“This is a separate bug from ESP/XFRM in Dirty Frag that got its own patch,” V12 said. “However, it’s in the same place and the mitigation is the same as Dirty Frag. It exploits a logic bug in the Linux XFRM ESP-in-TCP subsystem to achieve ambiguous byte writes to the kernel page cache of read-only files, without requiring any race condition.”
Fragnesia is similar to Copy Fail and Dirty Frag (also known as Copy Fail 2) in that it quickly exposes root on all major distributions by accessing memory written to the kernel and corrupting the cache memory of the /usr/bin/su binary page. A proof-of-concept (PoC) exploit was released by V12.
“Customers already using Dirty Frag mitigation do not need any further action until the patched kernels are released,” CloudLinux maintainers said. Red Hat said it is conducting testing to ensure that existing mitigations extend to CVE-2026-46300.
Wiz also noted that AppArmor’s restrictions on unprivileged username areas may act as a minor mitigation, requiring additional passes to be successfully exploited. However, unlike Dirty Frag, no host-level privileges are required.
“A patch is available, and while no wild exploits have been observed at this time, we urge users and organizations to install this patch as soon as possible by using the update tools,” Microsoft said. “If patching isn’t possible right now, consider using the same Dirty Frag mitigation.”
This includes disabling esp4, esp6, and related xfrm/IPsec functionality, restricting unnecessary local shell access, hardening containerized workloads, and increasing monitoring for unusual privilege escalation activity.
The development comes as a threat actor named “berz0k” has been spotted advertising on cybercrime forums a zero-day Linux LPE exploit for $170,000, claiming it works on multiple Linux distributions.
“The threat actor claims that the vulnerability is based on TOCTOU (Time-of-Owner Test), which can escalate local privileges without causing a system crash, and uses a shared object (.so) payload dropped into the tmp directory,” ThreatMon said in a post on X.
