{"id":484491,"date":"2026-05-14T15:28:16","date_gmt":"2026-05-14T15:28:16","guid":{"rendered":"https:\/\/www.europesays.com\/ie\/484491\/"},"modified":"2026-05-14T15:28:16","modified_gmt":"2026-05-14T15:28:16","slug":"fragnesia-new-linux-kernel-lpe-bug-was-spawned-by-dirty-frag-patch-cve-2026-46300","status":"publish","type":"post","link":"https:\/\/www.europesays.com\/ie\/484491\/","title":{"rendered":"Fragnesia: New Linux kernel LPE bug was spawned by Dirty Frag patch (CVE-2026-46300)"},"content":{"rendered":"

Researchers have found and disclosed yet another local privilege escalation (LPE) vulnerability in the Linux kernel: CVE-2026-46300, aka \u201cFragnesia\u201d.<\/p>\n

\"Fragnesia<\/p>\n

The flaw is in the same class of vulnerabilities as the recently disclosed Dirty Frag<\/a> bug(s). <\/p>\n

Like Dirty Frag, it affects the same Linux module (xfrm-ESP). In fact, according to Dirty Frag discoverer Hyunwoo Kim, Fragnesia was \u201caccidentally activated\u201d by the patch fixing one of the original Dirty Frag vulnerabilities (i.e., CVE-2026-43284).<\/p>\n

CVE-2026-46300 explained<\/p>\n

Fragnesia was discovered by William Bowling of Zellic.io, with the help of the company\u2019s AI-agentic software auditing tool.<\/p>\n

The research team published a short technical explainer<\/a> and proof-of-concept exploit code<\/a>. <\/p>\n

As Wiz researchers helpfully explained<\/a>, Fragnesia allows unprivileged local attackers to modify read-only file contents in the kernel page cache, and \u201cthrough a deterministic page-cache corruption primitive,\u201d achieve root privileges. <\/p>\n

Patches and mitigations for Fragnesia<\/p>\n

Like Copy Fail<\/a> and Dirty Frag before it, Fragnesia is less of a risk for single-user workstations and single-tenant servers than for shared Linux hosts (where multiple users share a kernel), container clusters (where the page cache is shared across the host), CI runners and build farms, and cloud SaaS solutions running user code.<\/p>\n

Linux admins should apply vendor kernel patches when they become available. In the meantime, they should disable\/denylist or unload the vulnerable modules (for both Fragnesia and DirtyFrag: esp4<\/strong>, esp6<\/strong>, rxrpc<\/strong>) to mitigate the risk of exploitation.<\/p>\n

Some Linux distributions have already relased kernel patches, namely AlmaLinux<\/a> and CloudLinux<\/a>.<\/p>\n

\u201cThe exploit can modify legitimate system binaries (the public PoC overwrites \/usr\/bin\/su<\/strong>) in the page cache as part of gaining root, so applying the mitigation alone is not enough on systems that may have been targeted before the mitigation was in place,\u201d the CloudLinux team explained. <\/p>\n

\u201cAfter mitigating, drop the page cache to force a reload from disk [by running the following command: sudo sh -c \u201cecho 3 > \/proc\/sys\/vm\/drop_caches\u201d<\/strong>].\u201d<\/p>\n

Microsoft\u2019s threat analysts also pointed out<\/a> that exploitation is \u201cnot constrained to use the [\/usr\/bin\/su] binary,\u201d and that attackers \u201ccan modify any file readable by the user, including [\/etc\/passwd].\u201d <\/p>\n

They also added that there is currently no evidence pointing to in-the-wild exploitation of Fragnesia.<\/p>\n

Copy Fail, on the other hand, has been added to CISA\u2019s Known Exploited Vulnerabilities catalog earlier this month. <\/p>\n

Kernel patches for Copy Fail are now widely available, but for a temporary mitigation admins can denylist or unload the algif_aead<\/strong> module.<\/p>\n

<\/p>\n

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!<\/a><\/strong><\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"Researchers have found and disclosed yet another local privilege escalation (LPE) vulnerability in the Linux kernel: CVE-2026-46300, aka…\n","protected":false},"author":2,"featured_media":484492,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[74],"tags":[48542,18,211862,19,17,25688,211863,55989,82,27983],"class_list":{"0":"post-484491","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technology","8":"tag-containers","9":"tag-eire","10":"tag-exploit","11":"tag-ie","12":"tag-ireland","13":"tag-linux","14":"tag-poc","15":"tag-servers","16":"tag-technology","17":"tag-vulnerability"},"share_on_mastodon":{"url":"https:\/\/pubeurope.com\/@ie\/116573641704334470","error":""},"_links":{"self":[{"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/posts\/484491","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/comments?post=484491"}],"version-history":[{"count":0,"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/posts\/484491\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/media\/484492"}],"wp:attachment":[{"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/media?parent=484491"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/categories?post=484491"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.europesays.com\/ie\/wp-json\/wp\/v2\/tags?post=484491"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}