New Fragnesia Linux bug gives attackers root access

Linux distributions are now deploying security patches to address a newly disclosed high-severity kernel vulnerability that gives unprivileged local attackers the ability to execute malicious code with root privileges.

Tracked as CVE-2026-46300 and named Fragnesia, the flaw originates from a logic defect in the Linux XFRM ESP-in-TCP subsystem. This bug allows attackers to write arbitrary bytes into the kernel page cache of read-only files, effectively bypassing standard access controls.

Security researcher William Bowling, head of assurance at Zellic, discovered this universal local privilege escalation vulnerability and has released a proof-of-concept (PoC) exploit. The exploit achieves a memory-write primitive within the kernel, corrupting the page cache of the `/usr/bin/su` binary to spawn a shell with root-level access on vulnerable systems.

Bowling explains that Fragnesia belongs to the Dirty Frag vulnerability class, which was disclosed just last week. It impacts all Linux kernels released before May 13, 2026. Like Fragnesia, Dirty Frag also comes with a public PoC that local attackers can weaponize to gain root access across major Linux distributions.

However, Dirty Frag operates differently: it chains together two distinct kernel flaws , CVE-2026-43284 (the xfrm-ESP Page-Cache Write vulnerability) and CVE-2026-43500 (a RxRPC Page-Cache Write issue) , to escalate privileges by modifying protected system files in memory.

“Fragnesia is a member of the Dirty Frag vulnerability class. This is a separate bug in the ESP/XFRM from dirtyfrag which has received its own patch. However, it is in the same surface and the mitigation is the same as for dirtyfrag,” Bowling said. “It abuses a logic bug in the Linux XFRM ESP-in-TCP subsystem to achieve arbitrary byte writes into the kernel page cache of read-only files, without requiring any race condition.”

To defend against attacks, Linux users should apply the latest kernel updates for their environment without delay. For those unable to patch immediately, the same mitigation used for Dirty Frag is recommended , removing vulnerable kernel modules. Note that this will break AFS distributed network file systems and IPsec VPNs:

“` rmmod esp4 esp6 rxrpc printf ‘install esp4 /bin/false install esp6 /bin/false install rxrpc /bin/false ‘ > /etc/modprobe.d/dirtyfrag.conf “`

Fragnesia’s disclosure arrives as Linux distributions continue rolling out patches for “Copy Fail,” another privilege escalation vulnerability now actively exploited in the wild. The Cybersecurity and Infrastructure Security Agency (CISA) added Copy Fail to its catalog of known exploited flaws on May 1, ordering federal agencies to secure their Linux systems within two weeks, by May 15.

“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” CISA warned. “Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”

In April, Linux distributions patched yet another root-privilege escalation vulnerability, dubbed Pack2TheRoot, in the PackageKit daemon , a flaw that had remained undetected for a decade.