Security researchers have disclosed a newly discovered Linux kernel vulnerability called Fragnesia that is drawing attention due to its potential to increase system compromise risks for unprivileged local users.
| CVE ID | CVE-2026-46300 |
| Severity | High (Local Privilege Escalation) |
| PoC | Publicly Available |
| Patch Status | Pending Upstream Merge |
Key Takeaways:
- Fragnesia is a Linux kernel local privilege escalation flaw tracked as CVE-2026-46300.
- It allows unprivileged local users to modify read-only kernel page cache files and gain root access.
- A working proof-of-concept was released publicly the same day as the disclosure.
- Disabling esp4, esp6, and rxrpc modules is the immediate mitigation until patches land.
- Ubuntu users with AppArmor namespace restrictions active have partial protection.
What is Fragnesia?
On May 13, 2026, researchers revealed the flaw, tracked as CVE-2026-46300,
within the Linux kernel’s XFRM ESP-in-TCP subsystem. The vulnerability allows an unprivileged local attacker to write arbitrary bytes into the kernel page cache of read-only files, including setuid
binaries such as /usr/bin/su, without modifying the actual file stored on disk.
The researcher William Bowling of Zellic and the V12 Security team published the disclosure alongside a working proof-of-concept.
Fragnesia is closely related to Dirty Frag,
which was patched just days earlier. In fact, the Dirty Frag fix itself exposed a previously latent bug that made Fragnesia exploitable.
The Dirty Frag Family: A Three-Week Timeline
Fragnesia is the third root-level kernel privilege escalation flaw disclosed in roughly three weeks. Understanding the pattern
helps Linux admins and security teams grasp how quickly this attack surface is moving.
| Vulnerability | CVE | Disclosed | Attack Surface |
|---|---|---|---|
| Copy Fail | CVE-2026-31431 | April 29, 2026 | Kernel copy path |
| Dirty Frag | CVE-2026-43284 / CVE-2026-43500 | May 7, 2026 | ESP/XFRM |
| Fragnesia | CVE-2026-46300 | May 13, 2026 | ESP-in-TCP / skb coalescing |
How the Exploit Works
The flaw is rooted in skb_try_coalesce(), a function in the kernel's socket buffer handling code.
When merging socket buffers, the function drops the SKBFL_SHARED_FRAG marker even when the resulting
buffer still holds page-cache-backed fragments. This causes ESP-in-TCP decryption to run in-place directly over
shared cached file pages instead of a safe private copy.
In the published proof-of-concept, the attacker uses unshare(CLONE_NEWUSER | CLONE_NEWNET) to gain
CAP_NET_ADMIN inside a sandboxed namespace, installs a crafted ESP security association, then repeatedly
drives single-byte writes into the cached copy of /usr/bin/su. The result is a root shell.
The on-disk file is never modified, so standard file integrity tools like AIDE or Tripwire will not detect the change.
Am I Vulnerable? How to Check
All Linux kernel
versions released before May 13, 2026 that include the Dirty Frag fix are potentially exposed.
Kernels that never received the Dirty Frag patches are also vulnerable through a slightly different path.
Run this command to check your current kernel version:
uname -r
If your kernel version predates the vendor patch for your distro (see the patching section below), you should apply
the immediate module-disable mitigation right away.
You can also check whether the vulnerable modules are currently loaded on your system:
lsmod | grep -E "esp|rxrpc"If the command returns output, those modules are loaded and your system is exposed until the mitigation or patch is applied.
Immediate Mitigation: Disable Vulnerable Modules
The same module blacklist used for Dirty Frag covers Fragnesia. Run these commands to unload and permanently disable the vulnerable modules:
printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' | sudo tee /etc/modprobe.d/fragnesia.conf
sudo rmmod esp4 esp6 rxrpc 2>/dev/null; trueTo verify the mitigation is working, check that the modules are no longer loaded:
lsmod | grep espIf no output is returned, the modules are unloaded and you are protected from the public proof-of-concept.
Ubuntu Users: Check Your AppArmor Namespace Restriction
Ubuntu
systems with AppArmor configured to restrict unprivileged user namespaces get partial protection against the public proof-of-concept.
Check whether this restriction is active on your system:
cat /proc/sys/kernel/apparmor_restrict_unprivileged_userns
A return value of 1 means the restriction is active. A value of 0 means it is not and you are more directly exposed.
This is only a partial mitigation and should not replace patching.
Distro-Specific Patching Steps
Once your Linux distribution ships a patched kernel package, apply it using the commands below for your platform.
Ubuntu (22.04, 24.04, 25.04)
sudo apt update && sudo apt full-upgrade -y
sudo reboot
uname -r # verify new kernel is running
After rebooting, check the Ubuntu Security Notices (USN)
page and search for CVE-2026-46300 to confirm your installed version is listed as fixed.
Rocky Linux / RHEL / AlmaLinux
sudo dnf update kernel -y
sudo reboot
uname -r # verify new kernel is running
Monitor the Red Hat Security Advisories
page for the official errata. RHEL extended lifecycle
customers should also check with their support channel for backported patches.
Debian
sudo apt-get update && sudo apt-get dist-upgrade -y
sudo reboot
uname -r # verify new kernel is runningFlush the Page Cache After Suspicion of Compromise
Because Fragnesia only modifies the in-memory page cache, flushing it removes the poisoned copy of any targeted binary.
Note that this cleans memory only. If an attacker already gained root access and installed a backdoor, flushing the cache
does not undo that. Treat any confirmed exploitation as a full host compromise.
sudo sh -c 'echo 3 > /proc/sys/vm/drop_caches'
Kubernetes and Container Environments
For Kubernetes worker nodes, shared CI runners, and multi-tenant container platforms this vulnerability is especially important
because local privilege escalation is rarely just local in these environments. A compromised container or a malicious CI job
can become a full host compromise. Importantly, privileged containers are not required. An unprivileged container
with the ability to create user namespaces, which is often allowed for rootless Docker or Podman, is sufficient to run this exploit
and reach root on the host.
Recommended steps for Kubernetes worker nodes once a patched kernel is available:
# Drain the node
kubectl drain <node-name> --ignore-daemonsets --delete-emptydir-data
# Apply kernel patch on the node using distro commands above
# then reboot the node
# Once back online, uncordon
kubectl uncordon <node-name>
Until patches are available, apply the module disable mitigation and restrict unprivileged user namespaces on all worker nodes.
For RHEL-family systems:
echo "user.max_user_namespaces=0" | sudo tee /etc/sysctl.d/fragnesia.conf
sudo sysctl --systemBe aware this will break rootless containers, Flatpak, and sandboxed browsers. Validate operational dependencies before applying broadly.
"The original Dirty Frag fix added code that trusts the shared-frag marker to be accurate. The marker is not accurate.
The underlying coalescing bug has existed since 2013 and the Dirty Frag fix just made it exploitable in a practical way."V12 Security Team, Fragnesia Disclosure Notes
Troubleshooting Common Issues
rmmod esp4 says the module is in use
If the module is in active use, identify what is holding it with:
lsof | grep esp
ss -sIf an IPsec or VPN daemon is using the module, stop it first before retrying the rmmod command.
What breaks after disabling ESP modules?
Disabling esp4 and esp6 will break IPsec and ESP-based VPN setups including strongSwan and Libreswan.
WireGuard-based VPN deployments are not affected.
The rxrpc module is tied to AFS clients and is generally safe to disable on most servers.
Does this affect Docker or Podman containers?
Containers share the host kernel. If unprivileged user namespaces are enabled on the host, a malicious workload inside a container
could use this exploit to reach root on the host. This is why Kubernetes and multi-tenant setups are considered high-risk environments for this flaw.
Detection: What to Watch For
Standard disk forensics tools will not flag this attack because the on-disk binary is never changed. Also keep in mind
that the poisoned state in memory is non-persistent. If the server reboots or the kernel evicts that page from cache
due to memory pressure, the binary reverts to its safe on-disk version automatically. This means a simple
ls -l or file hash check will not reveal whether a system has been compromised.
Behavioral detection is the right approach. Watch for these signals using eBPF tooling, Falco, or a Linux EDR platform:
unshare(CLONE_NEWUSER | CLONE_NEWNET)calls from unexpected processes- NETLINK_XFRM activity from workloads unrelated to VPN
- Heavy AF_ALG crypto interface usage in tight loops
splice()calls from regular files into TCP sockets, followed by ULP mode changes on the same socket
Official Vendor Security Advisories
Check these sources for the patched kernel versions for your platform. Bookmark them now as this situation is still evolving:
Sources
LinuxTeck - A Complete Learning Blog
Tech News - Stay updated with the latest Linux and open-source news covering new releases, distro updates, security patches, and enterprise developments, delivered in plain language for sysadmins and developers.
