New Variant of Linux Local Privilege Escalation Flaws Discovered: CVE-2026-46300
In recent developments, a new variant in the Dirty Frag family of Linux local privilege escalation vulnerabilities has come to light, marking the third root-level Linux kernel bug disclosed in a span of just three weeks. This latest vulnerability, named Fragnesia and tracked under the identifier CVE-2026-46300, has raised concerns within the tech community regarding the security of Linux operating systems.
The discovery was made by William Bowling, a researcher at Zellic, in collaboration with the V12 team. According to an analysis released by the cloud security firm Wiz, Fragnesia was made public on May 13, along with a working proof-of-concept (PoC) exploit. This PoC serves as a demonstration of the vulnerability’s potential impact, underscoring the urgency for users and administrators to take preventative measures.
Implications of the Vulnerability
This newly identified flaw affects all Linux kernel versions released prior to May 13, 2023. Notably, it allows unprivileged local users to obtain root access, enabling them to write arbitrary bytes into the kernel page cache of read-only files. The implications of such a vulnerability are significant, as gaining root access can allow a malicious actor to execute arbitrary code, manipulate system processes, or even create backdoors for potential future attacks.
Mechanism of the Flaw
The core of this vulnerability lies in the way the Linux kernel manages shared page fragments during the merging of socket buffers. Specifically, under a particular sequence of operations, the kernel’s bookkeeping fails, leading it to lose track of which memory pages are backed by external files. This condition creates an opportunity for attackers.
By manipulating the sequence of operations, an attacker can inject file contents into a TCP socket and subsequently enable ESP-in-TCP encryption on that same socket. When this occurs, the kernel decrypts the previously queued bytes directly onto the cached file pages. As a result, the controlled overwrites take place in memory through the AES-GCM keystream, paving the way for unauthorized access.
Bowling’s proof-of-concept illustrates this technique in action. In this demonstration, he managed to rewrite the initial bytes of the critical binary located at /usr/bin/su, utilizing a short payload that redirects the system to drop into a root shell. Importantly, this alteration impacts only the kernel’s in-memory representation of the binary, leaving the on-disk version intact, thus eluding standard forensics and detection methods.
Origin and Context
William Bowling has described Fragnesia as a distinct bug within the ESP/XFRM framework, separate from the original Dirty Frag vulnerability. Hyunwoo Kim, the researcher responsible for Dirty Frag, has pointed out that Fragnesia arose as an unintended side effect of patches deployed to address his earlier vulnerabilities. This highlights the intricate nature of software security and the challenges developers face in safeguarding systems while addressing known issues.
The emergence of this bug follows close on the heels of two other notable Linux kernel local privilege escalation vulnerabilities disclosed in recent weeks. The vulnerabilities include Copy Fail (CVE-2026-31431), revealed on April 29, and Dirty Frag itself (CVE-2026-43284 and CVE-2026-43500), which was disclosed on May 7.
Steps Towards Remediation
In response to these alarming discoveries, a candidate fix for the Fragnesia vulnerability was submitted to the netdev mailing list on the same day it was disclosed, May 13. However, at the time of the report, this fix had not yet been integrated into the mainline kernel. In a proactive move, various Linux distributions have begun to implement their own backported patches, offering immediate relief to users and mitigating the risks posed by the vulnerability.
Interestingly, Fragnesia utilizes the same kernel modules—esp4, esp6, and rxrpc—as Dirty Frag. Consequently, administrators who have already disabled these modules in an attempt to defend against Dirty Frag will inadvertently be protected from Fragnesia until patches are made available.
In addition to module deactivation, it is advised that administrators restrict unprivileged user namespaces and keep a vigilant eye on any suspicious namespace creation or XFRM manipulation. Taking these interim steps can bolster security while the Linux community works on comprehensive patches to address the vulnerabilities in a systemic manner.
In conclusion, as the Linux ecosystem grapples with these emerging security challenges, careful monitoring and prompt action are paramount. Users and administrators are urged to stay informed and engaged with the latest updates to minimize potential threats.