Fragnesia Is Yet Another Local Privilege Escalation Flaw in Linux Kernel

posted by Marius Nestor on May 14, 2026,
updated May 17, 2026

Fragnesia (CVE-2026-46300) is a bug in the IPsec XFRM ESP-in-TCP subsystem, part of the Dirty Frag vulnerability class. It’s called Fragnesia because the skb “forgets” that a frag is shared during coalescing. The good news this time is that the mitigations for Dirty Frag also apply to Fragnesia.

In other words, if you already applied the mitigations from our Dirty Frag article, you’re not affected by Fragnesia. However, to fully patch both flaws in your Linux system, you will need to apply a Linux kernel update that includes patches for both Dirty Frag and Fragnesia.

Read on

Update

More:

• Security Week ☛ New Linux Kernel Vulnerability Fragnesia Allows Root Privilege Escalation

  The vulnerability, tracked as CVE-2026-46300, is similar to the recently disclosed exploits named Dirty Frag and Copy Fail.

• AI is speeding up Linux flaw discovery as Fragnesia hits servers

  Linux administrators have another kernel flaw to put at the top of the list. Fragnesia, tracked as CVE-2026-46300, is a local privilege escalation bug that lets an unprivileged user corrupt read-only file contents in the kernel page cache and work toward root access. That is not a remote internet worm by itself, but it is exactly the kind of weakness that matters once an attacker already has a foothold, a shell, a compromised developer account, or a workload running inside a shared environment.

• Bleeping Computer ☛ New Fragnesia Linux flaw lets attackers gain root privileges

  Known as Fragnasia and tracked as CVE-2026-46300, this security flaw stems from a logic bug in the Linux XFRM ESP-in-TCP subsystem that can enable unprivileged local attackers to gain root privileges by writing arbitrary bytes to the kernel page cache of read-only files.

• Hackster ☛ Another Day, Another Local Privilege Escalation Vulnerability in Linux: Meet Fragnesia

  Security researcher William Bowling has warned of yet another universal local privilege escalation (LPE) vulnerability in the Linux kernel, dubbed Fragnesia — the fourth to be publicly disclosed in just two weeks.

• InfoSecurity Magazine ☛ New Fragnesia Flaw Hands Linux Local Users Root Access

  A new variant in the Dirty Frag family of Linux local privilege escalation flaws has surfaced, the third root-level Linux kernel bug disclosed in three weeks.

• Security Affairs ☛ Linux Kernel bug Fragnesia allows local root access attacks

  Researchers disclosed a new Linux kernel privilege escalation vulnerability named Fragnesia, tracked as CVE-2026-46300 (CVSS score of 7.8). The flaw affects the XFRM ESP-in-TCP subsystem and could allow local attackers to gain full root access by corrupting the kernel page cache.

• ZDNet ☛ The third major Linux kernel flaw in two weeks has been found - thanks to AI

• Cybernews ☛ Patching one Linux kernel critical exploit spawns another: a third vulnerability in two weeks

  A fix for the previous Linux kernel critical exploit has seemingly introduced another critical local privilege escalation exploit, a third in two weeks. Security professionals are now frustrated with disclosures dropping without any embargoes for defenders to prepare.

• TechRadar ☛ Another major Linux security issue uncovered - new Fragnesia flaw allows attackers to run malicious code as root

  Security researchers have discovered a new vulnerability in the Linux kernel which could allow malicious actors to run code with elevated privileges, exposing systems to risk of data theft, malware deployment, and even full device takeover.

• Security Boulevard ☛ Fragnesia Extends Linux Kernel Security Challenge with Root-Level Exploit

  The vulnerability, tracked as CVE-2026-46300 and dubbed Fragnesia, affects the Linux kernel’s XFRM ESP-in-TCP subsystem tied to IPsec networking support. The flaw enables an unprivileged user to alter cached file data held in memory, creating a direct route to full system compromise.

• The Register UK ☛ Dirty Frag gets a sequel as Fragnesia hands Linux attackers root-level access

  Linux admins hoping Dirty Frag was a one-off horror from the kernel networking stack are about to have a considerably worse week.

  Researchers at Wiz have published an analysis of "Fragnesia," a Linux kernel local privilege escalation flaw discovered by William Bowling of the V12 security team that allows unprivileged users to gain root by corrupting page cache memory. The bug, tracked as CVE-2026-46300, has public proof-of-concept exploit code documented by V12 on GitHub that demonstrates the vulnerability being used against /usr/bin/su to spawn a root shell.

• SQ Magazine ☛ Fragnesia Exploit Threatens Major Linux Distributions

  A newly disclosed Linux kernel vulnerability called Fragnesia is raising concerns after researchers confirmed it can give local attackers full root access on several major Linux distributions.

• Ubuntu ☛ Fragnesia Linux kernel local privilege escalation vulnerability mitigations

  The vulnerability does not have CVSS scores assigned in the CVE List or NVD, but Canonical’s assessment indicates a CVSS 3.1 score of 7.8, corresponding to a severity of HIGH.

Some more a day later:

• CSO ☛ Meet Fragnesia, the third Linux kernel vulnerability in a month

  Linux admins reeling from handling last month’s CopyFail and last week’s Dirty Frag kernel vulnerabilities have a new headache to deal with: Fragnesia.

• Tenable Inc ☛ Fragnesia (CVE-2026-46300): Frequently asked questions about new Linux Kernel XFRM ESP-in-TCP privilege escalation

  A new Linux kernel local privilege escalation exploit with a public proof-of-concept targets the same subsystem as Dirty Frag but requires a separate patch.

• Unicorn Media ☛ Fragnesia, ssh-keysign‑pwn, and the Month of Living Dangerously on Linux

  From Copy Fail to Dirty Frag to Fragnesia and ssh-keysign‑pwn: AI‑driven bug hunters are turning the GNU/Linux kernel into a shooting gallery.

• Help Net Security ☛ Fragnesia: New Linux kernel LPE bug was spawned by Dirty Frag patch (CVE-2026-46300)

  Like Dirty Frag, it affects the same Linux module (xfrm-ESP). In fact, according to Dirty Frag discoverer Hyunwoo Kim, Fragnesia was “accidentally activated” by the patch fixing one of the original Dirty Frag vulnerabilities (i.e., CVE-2026-43284).

• Tech Times ☛ Fragnesia Flaw Hands Linux Users Root Access: Third Kernel Bug in Two Weeks, Born From Patch

• Dolphin Publications B V ☛ It’s raining Linux vulnerabilities: what’s going on? [Ed: All local, too much hype]

  In recent weeks, alarm bells have been ringing repeatedly over critical vulnerabilities in the Linux kernel. Why is that?

• New Linux privilege escalation flaw ‘Fragnesia’ disclosed; PoC available

  Linux kernel maintainers patched a new local privilege escalation (LPE) flaw dubbed “Fragnesia” on Wednesday, with a proof-of-concept (PoC) exploit published by researchers.

• Linux Kernel Fragnesia Privilege Escalation Vulnerability (CVE-2026-46300) Notice

  Recently, NSFOCUS CERT detected that the Linux kernel Fragnesia privilege escalation vulnerability (CVE-2026-46300) was disclosed online. Fragnesia is a new variant of Dirty Frag; Due to the logical defects in the processing of shared page fragments by the ESP-in-TCP subsystem during the skb merge process, a local attacker with ordinary permissions can inject arbitrary bytes into the page cache of key binary files such as /usr/bin/su by constructing a specific splice+ULP trigger sequence, thereby obtaining system root permissions. In a multi-tenant server, jump server or container cloud environment, ordinary users and processes in containers can use this to achieve local privilege escalation or container escape. The CVSS score is 7.8. At present, the vulnerability details and PoC have been made public. Relevant users are requested to take measures to protect themselves as soon as possible.

2 more:

• LinuxStans ☛ AI Just Found Another Linux Zero-Day and Security Researchers Are Freaking Out

  If you thought the security circus was over after copyfail, dirty frag, and fragnesia, think again. The Linux kernel just took another hit with CVE-2026-46333, and the timing couldn’t be worse. Security researchers dropped this bomb on May 15th, and the community is already calling it “ssh-keysign-pwn.”

• Hacker News ☛ New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption

  Details have emerged about a new variant of the recent Dirty Frag Linux local privilege escalation (LPE) vulnerability that allows local attackers to gain root access, making it the third such bug to be identified in the kernel within a span of two weeks.