Critical Threat Research : The Iranian Cyber War Intensifies!
Comprehensive Threat Exposure Management Platform
Fragnesia (CVE-2026-46300) is a critical local privilege escalation vulnerability discovered in the Linux kernel’s XFRM ESP-in-TCP subsystem on May 13, 2026. This Linux kernel vulnerability represents the third local-root flaw identified within the same code area in just two weeks, following Copy Fail (CVE-2026-31431) and the Dirty Frag pair (CVE-2026-43284 and CVE-2026-43500). The Fragnesia vulnerability affects multiple Linux distributions including AlmaLinux 8/9/10, AlmaLinux Kitten 10, Amazon Linux, CloudLinux, Debian, Fedora, Gentoo, openSUSE, Red Hat Enterprise Linux, SUSE, Ubuntu, and OpenShift.
The Fragnesia vulnerability poses an immediate and severe risk to multi-tenant Linux environments, container clusters, CI/CD runners, build farms, cloud SaaS platforms running user code, and any host where untrusted users can obtain a local shell. Unlike its Dirty Frag predecessor, the Fragnesia vulnerability requires no host-level privileges, significantly expanding the population of attackers who can weaponize this Linux kernel vulnerability after any initial foothold, such as a compromised SSH account, web shell, container escape, or low-privileged service account. The deterministic, non-race-condition nature of the privilege escalation primitive substantially lowers the operational bar for reliable root escalation across vulnerable Linux kernels, magnifying the post-compromise blast radius of even minor initial intrusions.
Fragnesia (CVE-2026-46300) is a new local privilege escalation (LPE) vulnerability in the Linux kernel’s XFRM ESP-in-TCP subsystem. This Linux kernel security flaw represents the third local-root vulnerability to surface in the same code area within two weeks. The Fragnesia vulnerability is a logic flaw in the Linux kernel’s socket-buffer fragment handling, classified within the same “Dirty Frag” family as CVE-2026-43284, CVE-2026-43500, and the earlier Copy Fail (CVE-2026-31431) page-cache corruption issues. Notably, the Fragnesia defect was introduced as an unintended side effect of an upstream patch shipped to address CVE-2026-43284, and was disclosed publicly on May 13, 2026.
At its root, the Fragnesia vulnerability lies in the skb_try_coalesce() function, which fails to propagate the SKBFL_SHARED_FRAG flag when paged fragments are transferred between socket buffers. As a result, the Linux kernel loses metadata indicating that a fragment is externally backed, for example, by page-cache pages spliced into the buffer from a file on disk. The XFRM ESP-in-TCP receive path subsequently performs in-place AES-GCM decryption directly over these page-cache pages, allowing an unprivileged process to XOR a chosen keystream into the cached contents of read-only files in this Linux kernel vulnerability.
The vulnerable code paths sit in the esp4, esp6, and rxrpc kernel modules. All supported AlmaLinux releases (8, 9, 10) are affected through esp4/esp6, with AlmaLinux 9 and 10 additionally exposed via rxrpc only on hosts that install the kernel-modules-partner package; AlmaLinux 8 does not build rxrpc. Security advisories have also been published by Amazon Linux, CloudLinux, Debian, Gentoo, Red Hat Enterprise Linux, SUSE, and Ubuntu, confirming impact across essentially every major Linux distribution. Wiz researchers note that AppArmor restrictions on unprivileged user namespaces, such as those enabled by default on Ubuntu, may serve as a partial mitigation, though additional bypass primitives would be required for successful exploitation in those environments. Unlike Dirty Frag, the Fragnesia vulnerability requires no host-level privileges.
DirtyDecrypt, also known as DirtyCBC, is a variant of CopyFail, DirtyFrag, and Fragnesia. A recently patched local privilege escalation vulnerability in the Linux kernel’s rxgk module now has a proof-of-concept exploit that allows attackers to gain root access on some Linux systems. While there is no official CVE ID associated with this security flaw, Linux users on distributions potentially affected by DirtyDecrypt are advised to install the latest kernel updates as soon as possible.
The Fragnesia vulnerability (CVE-2026-46300) is classified under CWE-123 and affects the Linux Kernel (XFRM ESP-in-TCP / esp4, esp6, rxrpc modules) across multiple distributions. The affected CPE is cpe:2.3:o:linux:linux_kernel::::::::. This Linux kernel vulnerability has been patched but is not currently listed in the CISA KEV catalog and is not a zero-day vulnerability.
Organizations must apply vendor kernel patches immediately to address the Fragnesia vulnerability. Install the patched kernel released by your Linux distribution as soon as it is available and reboot to load the new kernel. AlmaLinux has shipped patched builds in its testing repository (kernel-4.18.0-553.124.3.el8_10, kernel-5.14.0-611.54.5.el9_7, kernel-6.12.0-124.56.3.el10_1) with production rollout to follow. Security advisories with patches or assessments have been published by Amazon Linux, CloudLinux, Debian, Gentoo, Red Hat Enterprise Linux, SUSE, and Ubuntu for this Linux kernel vulnerability. Because a public proof-of-concept exists for the Fragnesia vulnerability and the exploitation primitive is deterministic, patch deployment should be treated as urgent, particularly for multi-tenant hosts, container clusters, CI runners, and build farms.
For systems where immediate patching is not feasible, implement interim mitigation by blacklisting or unloading the vulnerable modules. Neutralize the attack surface by preventing the esp4, esp6, and rxrpc modules from loading. This is the same mitigation applied for Dirty Frag and addresses the Fragnesia vulnerability identically. Administrators can write a modprobe configuration that forces these Linux kernel modules to /bin/false and unload any active instances, which is safe on workloads that do not use IPsec transport mode or AFS/rxrpc. Systems already protected against Dirty Frag through this method require no further mitigation action for the Fragnesia vulnerability.
Use the following command for interim mitigation of the Fragnesia vulnerability: sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true". This neutralizes the vulnerable code paths shared across the DirtyDecrypt, Dirty Frag, and Fragnesia cluster by preventing the esp4, esp6, and rxrpc modules from loading and by flushing the page cache to clear any pre-existing poisoned entries.
Drop the page cache after mitigation if compromise is suspected. Because the Fragnesia exploit corrupts page-cache pages of sensitive files such as /usr/bin/su and potentially /etc/passwd without altering the on-disk binaries, applying module blacklisting alone is insufficient on hosts that may have been targeted before mitigation of this Linux kernel vulnerability. Executing echo 3 > /proc/sys/vm/drop_caches evicts cached pages so subsequent reads pull fresh content from disk, removing any in-memory tampering from the Fragnesia vulnerability. This operation is safe to run on live Linux systems and is recommended after mitigation on any host with unexplained activity or shared-tenancy exposure.
The Fragnesia vulnerability can be exploited using several MITRE ATT&CK tactics and techniques. Under Resource Development (T1588: Obtain Capabilities), attackers may acquire or develop exploits (T1588.005) and vulnerabilities (T1588.006) for the Fragnesia Linux kernel vulnerability. The primary tactic involves Privilege Escalation (T1068: Exploitation for Privilege Escalation), where the Fragnesia vulnerability enables local privilege escalation to root.
For Execution, attackers leverage Command and Scripting Interpreter (T1059) techniques, specifically Unix Shell (T1059.004), to execute the Fragnesia exploit code. Defense Evasion tactics include File and Directory Permissions Modification (T1222), particularly Linux and Mac File and Directory Permissions Modification (T1222.002), and Escape to Host (T1611) in containerized environments exploiting the Fragnesia vulnerability.
Initial Access may be achieved through Valid Accounts (T1078), providing the initial foothold required for Fragnesia exploitation. Finally, successful exploitation of the Fragnesia vulnerability enables Credential Access through OS Credential Dumping (T1003), allowing attackers to harvest system credentials after achieving root privileges.
https://www.wiz.io/blog/fragnesia-linux-kernel-local-privilege-escalation-via-esp-in-tcp
https://github.com/v12-security/pocs/tree/main/fragnesia
https://github.com/v12-security/pocs/tree/main/dirtydecrypt
https://almalinux.org/blog/2026-05-13-fragnesia-cve-2026-46300/
https://access.redhat.com/security/cve/CVE-2026-46300
https://ubuntu.com/security/CVE-2026-46300
Get through updates and upcoming events, and more directly in your inbox