Fragnesia: Critical Linux Kernel Vulnerability Grants Root Access via Page Cache Corruption
A newly discovered security flaw, dubbed Fragnesia and tracked as CVE-2026-46300, has been identified in the Linux kernel’s XFRM ESP-in-TCP subsystem. This vulnerability allows unprivileged local attackers to escalate their privileges to root by corrupting the kernel’s page cache, thereby modifying read-only file contents. The flaw was uncovered by security researcher William Bowling of the V12 security team.
Fragnesia is the third local privilege escalation (LPE) vulnerability reported in the Linux kernel within a two-week span, following the disclosures of Copy Fail and Dirty Frag. Similar to its predecessors, Fragnesia enables attackers to achieve root access by exploiting a logic bug that permits arbitrary byte writes into the kernel page cache of read-only files. This exploitation does not require race conditions, making it highly reliable and dangerous.
The vulnerability affects multiple Linux distributions, including Ubuntu, Red Hat Enterprise Linux, Fedora, CentOS Stream, AlmaLinux, and openSUSE Tumbleweed. In response, several distributions have released advisories and patches to address the issue. For instance, Ubuntu has provided mitigations that involve disabling the affected kernel modules, specifically the esp4, esp6, and rxrpc modules. However, this mitigation can disrupt services relying on IPsec VPNs and AFS systems.
Security experts emphasize the severity of Fragnesia due to its deterministic nature and high success rate. Unlike traditional vulnerabilities that depend on timing windows or race conditions, Fragnesia’s exploitation is straightforward and does not induce kernel panics upon failure. This makes it a significant threat to systems running affected Linux distributions.
To protect systems from potential exploitation, administrators are urged to apply the available patches promptly. If immediate patching is not feasible, temporary mitigations include disabling the vulnerable kernel modules and restricting unnecessary local shell access. Additionally, hardening containerized workloads and increasing monitoring for abnormal privilege escalation activities are recommended.
The discovery of Fragnesia underscores the ongoing challenges in maintaining the security of the Linux kernel. It highlights the need for continuous vigilance and prompt response to emerging vulnerabilities to safeguard systems against potential threats.
