Details have emerged about a new variant of the recent Dirty Frag Linux Local Privilege Escalation (LPE) vulnerability that allows local attackers to gain root access, making it the third such bug in the kernel within two weeks.
The security vulnerability codenamed ‘Fragnesia’ is tracked as CVE-2026-46300 (CVSS score: 7.8) and is located in the XFRM ESP-in-TCP subsystem of the Linux kernel. This was discovered by researcher William Bowling on the V12 security team.
“This vulnerability allows an unprivileged local attacker to modify the contents of read-only files in the kernel page cache and gain root privileges via a deterministic page cache corruption primitive,” said Google-owned Wiz.
Advisories have been released by multiple Linux distributions –
“This is another bug in Dirty Frag’s ESP/XFRM that has received its own patch,” says V12. “However, this is on the same surface and the mitigation is the same as the dirty flag. It exploits a logic bug in the Linux XFRM ESP-in-TCP subsystem to achieve the writing of arbitrary bytes to the kernel page cache for read-only files without the need for race conditions.”
Fragnesia is similar to Copy Fail and Dirty Frag (also known as Copy Fail 2) in that it achieves memory write primitives within the kernel and instantly gains root on all major distributions by corrupting the page cache memory of the /usr/bin/su binary. A proof of concept (PoC) exploit was released in V12.
“Customers who have already applied the Dirty Frag mitigations do not need to take any further action until a patched kernel is released,” CloudLinux maintainers said. Red Hat said it is conducting an evaluation to determine whether existing mitigations extend to CVE-2026-46300.
Wiz also pointed out that AppArmor’s restrictions on unprivileged user namespaces may act as a partial mitigation, and additional bypasses may be required for successful exploitation. However, unlike the dirty flag, it does not require host-level permissions.
“While a patch is available and no active exploits have been observed at this time, we encourage users and organizations to run the update tool and apply the patch as soon as possible.” “If patching is not possible at this time, consider applying the same mitigations to dirty flags.”
This includes disabling esp4, esp6, and related xfrm/IPsec features, restricting unnecessary local shell access, hardening containerized workloads, and increasing monitoring for anomalous privilege escalation activity.
This development comes after a threat actor named ‘berz0k’ was observed advertising a zero-day Linux LPE exploit on cybercrime forums for $170,000 and claiming it works on multiple major Linux distributions.
“Threat actors claim that this vulnerability is TOCTOU (Time-of-Check Time-of-Use) based, allows stable local privilege escalation without causing a system crash, and leverages a shared object (.so) payload dropped in the /tmp directory,” ThreatMon said in a post on X.
Source link
