Fragnesia: High-Severity Linux Kernel Flaw Gives Local Users Root, Bypasses Recent Patches
New 'Fragnesia' Linux Flaw (CVE-2026-46300) Allows Root Access; PoC Exploit Released
Related Entities(initial)
Organizations
Products & Tech
Other
CVE Identifiers
Full Report(when first published)
Executive Summary
A new high-severity local privilege escalation (LPE) vulnerability named Fragnesia (CVE-2026-46300) has been discovered in the Linux Kernel. The flaw, which affects the XFRM ESP-in-TCP subsystem, allows a local, unprivileged user to gain full root privileges. The vulnerability was disclosed on May 13, 2026, with a fully functional proof-of-concept (PoC) exploit released simultaneously on GitHub, creating a zero-day situation for many users. Fragnesia is a bypass for a recently patched, related vulnerability family ('Dirty Frag'), making it particularly dangerous as systems that were just updated may still be vulnerable. The exploit works by corrupting the kernel's page cache, a technique similar to the infamous 'Dirty Pipe' vulnerability, allowing modification of read-only, root-owned files like /usr/bin/su.
Vulnerability Details
- CVE: CVE-2026-46300
- Name: Fragnesia
- Type: Local Privilege Escalation (LPE)
- Mechanism: Page-cache corruption in the XFRM ESP-in-TCP subsystem.
- Impact: An unprivileged local user can execute code with root privileges.
- Root Cause: The vulnerability is an extension of the 'Dirty Frag' family of bugs (
CVE-2026-43284,CVE-2026-43500). It exploits a condition where an unprivileged user can manipulate network socket configurations (specifically ESP-in-TCP for IPsec) to cause memory corruption in the kernel. This corruption can be leveraged to write arbitrary data into the page cache for read-only files. The public PoC demonstrates this by overwriting thesubinary in the cache, allowing the attacker to create a shell with root permissions.
Affected Systems
- Products: Linux kernel versions that include the vulnerable code paths in the XFRM ESP-in-TCP subsystem.
- Configurations: The vulnerability is exploitable on systems where unprivileged users can create user namespaces (
CLONE_NEWUSER), which is the default on many distributions. Distributions that restrict this by default, such as Ubuntu via its AppArmor profile, may be more resilient to the public PoC but are not necessarily immune to the underlying flaw.
Exploitation Status
A working proof-of-concept exploit was released publicly alongside the vulnerability disclosure. This significantly lowers the bar for exploitation and means that attacks are highly likely. System administrators should assume that attackers are actively scanning for and exploiting this vulnerability on any multi-user Linux system.
Impact Assessment
The business impact of Fragnesia is critical for any organization running multi-user Linux systems, including cloud providers, hosting companies, and enterprises with shared development servers. A successful exploit grants an attacker complete control over the affected system. This could lead to:
- Theft, modification, or destruction of all data on the server.
- Installation of persistent backdoors or rootkits.
- Use of the compromised server to attack other systems on the network.
- Complete disruption of services hosted on the machine. Because the PoC is public, even low-skilled attackers can now attempt to escalate privileges on vulnerable systems.
Cyber Observables — Hunting Hints
The following patterns may help identify vulnerable or compromised systems:
unshare -r or unshare -Uunshare command by an unprivileged user.socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) with TCP_ULP set to espauditd to log the use of the unshare and socket system calls by unprivileged users. Look for anomalous patterns./usr/bin/su.Detection Methods
- Vulnerability Scanning: Use vulnerability scanners to identify kernels that are known to be vulnerable. Check the version of the running kernel with
uname -rand compare it against patched versions from your distribution vendor. - Log Analysis: Hunt for the use of
unshareby unexpected user accounts in yourauditdor system logs. Correlate this with network-related system calls or kernel module loading activity. - Live Patching Service Logs: If using a service like KernelCare, check its logs to confirm that a live patch for
CVE-2026-46300has been successfully applied.
Remediation Steps
- Patch Immediately: The most effective solution is to update the Linux kernel to a version that contains the fix for
CVE-2026-46300. Monitor your Linux distribution's security advisories and apply the update as soon as it is available. - Apply Live Patching: For systems that cannot be rebooted immediately, use a live patching service like KernelCare or kpatch to apply the fix to the running kernel without downtime.
- Workaround (Temporary Mitigation): If a patch is not yet available, you can mitigate the threat by preventing unprivileged users from using the vulnerable module. This can be done by adding the line
install esp4_tunnel /bin/trueandinstall esp6_tunnel /bin/trueto a file in/etc/modprobe.d/. This prevents the vulnerable kernel modules from being loaded. - Restrict User Namespaces: As a broader hardening measure, you can restrict the ability of unprivileged users to create user namespaces by setting the sysctl
kernel.unprivileged_userns_cloneto0. Be aware that this may break legitimate applications (like container runtimes) that rely on this functionality.
Timeline of Events
Article Updates
May 17, 2026
New details on 'Fragnesia' (CVE-2026-46300) Linux kernel flaw include attack flow, expanded impact on containers/cloud, and confirmation of emergency patches from major distributions.
MITRE ATT&CK Mitigations
Update Software
Apply the kernel patch provided by the Linux distribution vendor as soon as it becomes available.
Mapped D3FEND Techniques:
As a temporary workaround, disable the vulnerable kernel modules (esp4_tunnel, esp6_tunnel) to prevent the code path from being triggered.
Operating System Configuration
Harden the OS by disabling unprivileged user namespaces (`kernel.unprivileged_userns_clone=0`) to block this and other similar LPE exploits, if application compatibility allows.
Mapped D3FEND Techniques:
D3FEND Defensive Countermeasures
The primary and most effective remediation for CVE-2026-46300 is to update the Linux kernel. Administrators must closely monitor security advisories from their specific Linux distribution (e.g., Red Hat, Debian, Canonical) and apply the patched kernel version as soon as it is released. For environments with high uptime requirements where reboots are disruptive, deploying a live patch using services like TuxCare's KernelCare or kpatch is the recommended alternative. This allows the vulnerability to be fixed in the running kernel without a system restart, providing immediate protection against the publicly available exploit. Verifying the new kernel version with uname -r or checking the live patching service status is a critical final step.
As a powerful hardening and mitigation technique, use system call filtering to restrict the actions of unprivileged users. Specifically for Fragnesia and similar LPEs, this involves blocking access to the unshare system call with the CLONE_NEWUSER flag for non-root users. This can be implemented using seccomp-bpf profiles or through broader OS-level configuration by setting the sysctl kernel.unprivileged_userns_clone to 0. While this is a very effective control, it must be tested carefully, as it can break legitimate applications like Docker, Podman, and some sandboxed browser features that rely on user namespaces for isolation. This mitigation is best suited for multi-user servers where user activity can be more strictly controlled.
To detect active exploitation of Fragnesia, use an advanced File Integrity Monitoring (FIM) or Endpoint Detection and Response (EDR) tool capable of performing system file analysis. The Fragnesia PoC works by modifying a read-only, root-owned binary like /usr/bin/su in the kernel's page cache, not on the disk itself. A traditional FIM that only checks on-disk hashes will miss this. A more advanced agent should be configured to monitor for anomalous memory-write operations targeting the page cache of critical setuid files. Furthermore, configure auditd with rules to log all executions of setuid binaries (-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k su_exec) and look for executions that occur under suspicious circumstances, such as immediately following unshare commands.
Timeline of Events
The Fragnesia vulnerability (CVE-2026-46300) and a working PoC exploit were publicly disclosed by researcher William Bowling.
Sources & References(when first published)
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats
🎯 MITRE ATT&CK Mapped
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
🧠 Enriched & Analyzed
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
🛡️ Actionable Guidance
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
🔗 STIX Visualizer
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
⚡ Sigma Generator
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.