Fragnesia: Linux Kernel XFRM ESP-in-TCP Local Privilege Escalation (CVE-2026-46300)

Summary

Fragnesia (CVE-2026-46300) is a Linux kernel local privilege escalation vulnerability disclosed on May 14, 2026, by William Bowling of Zellic and the V12 security team. It is the third vulnerability in the page-cache corruption LPE class to be disclosed within a two-week period, following Copy Fail (CVE-2026-31431) and Dirty Frag (CVE-2026-43284, CVE-2026-43500). See ERESUS-ADV-2026-006 for the Dirty Frag advisory.

Fragnesia exploits a bug in the XFRM ESP-in-TCP subsystem — a different code path from Dirty Frag, but sharing the same exploitation class: deterministic page-cache corruption enabling root privilege escalation.

CVE ID: CVE-2026-46300
CVSS v3.1: 7.8 HIGH (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Systems

• Subsystem: XFRM ESP-in-TCP kernel module
• Distributions: Ubuntu, RHEL, Debian, Amazon Linux, SUSE, AlmaLinux, CloudLinux, Gentoo, and all distributions shipping unpatched kernel versions
• Prerequisite: Local code execution (unprivileged user account sufficient)
• Container note: Exploitation from within a container requires CAP_NET_ADMIN under default Kubernetes seccomp profiles

Technical Overview

Fragnesia leverages the same page-cache write primitive class as Dirty Frag and Copy Fail, but through the XFRM ESP-in-TCP module rather than the RxRPC or algif_aead paths. It is deterministic — no race condition required. A public exploit was available at time of disclosure.

Relation to Dirty Frag: The Dirty Frag module blocklist (install esp4 /bin/false, install esp6 /bin/false) also covers Fragnesia since both use the esp/xfrm subsystem.

Mitigation

If the Dirty Frag blocklist is already applied, no additional workaround action is needed. If not:

cat > /etc/modprobe.d/disable-esp-xfrm.conf << 'EOF'
install esp4 /bin/false
install esp6 /bin/false
EOF

rmmod esp6 2>/dev/null || true
rmmod esp4 2>/dev/null || true

Verify IPsec usage before applying: ip xfrm state list

Patch Status

Distribution advisories for CVE-2026-46300 were published simultaneously with disclosure on May 14, 2026 by: Ubuntu, Red Hat Enterprise Linux, Debian, Amazon Linux, SUSE, AlmaLinux, CloudLinux, and Gentoo.

Apply the latest vendor kernel update and confirm it includes CVE-2026-46300 in addition to CVE-2026-43284 and CVE-2026-43500.

Microsoft Defender Coverage

The existing Dirty Frag signatures cover Fragnesia exploit artifacts:

• Trojan:Linux/DirtyFrag.Z!MTB
• Trojan:Linux/DirtyFrag.DA!MTB

References

• NVD: CVE-2026-46300
• The Hacker News: Fragnesia
• Microsoft Security Blog (Fragnesia update)
• Eresus Blog: Fragnesia Technical Analysis
• ERESUS-ADV-2026-006: Dirty Frag