Fragnesia Linux Vulnerability Grants Instant Root Access via Page Cache Corruption

System administrators managing Linux environments face a critical new threat as a high-severity kernel vulnerability, dubbed the Fragnesia Linux vulnerability, grants unprivileged local attackers immediate root access. Tracked as CVE-2026-46300 with a CVSS score of 7.8, this flaw targets the XFRM ESP-in-TCP subsystem. The vulnerability allows attackers to modify read-only file contents within the kernel page cache, effectively compromising the entire system.

Discovered by William Bowling of Zellic in collaboration with the V12 Security team, Fragnesia emerged as an unintended side effect of recent patches meant to fix the original Dirty Frag vulnerability. According to security firm Wiz, the issue stems from a logic bug involving the improper handling of shared page fragments during socket buffer coalescing. Attackers can exploit this by splicing file-backed pages into the TCP receive queue before the socket transitions into the espintcp ULP mode.

By corrupting the kernel page cache, the exploit successfully overwrites the read-only /usr/bin/su binary. This memory write primitive allows attackers to instantly elevate their privileges to root. The V12 Security team has already released a proof-of-concept (PoC) exploit demonstrating the attack, though Microsoft notes there is currently no evidence of active exploitation in the wild.

Because Fragnesia immediately yields root access by achieving a memory write primitive, organizations must act quickly to secure their infrastructure. The vulnerability represents the third Linux local privilege escalation bug identified within a span of two weeks, following the Copy Fail and Dirty Frag disclosures.

Advisories have been released for the following major Linux distributions:

• AlmaLinux
• Amazon Linux
• CloudLinux
• Debian
• Gentoo
• Red Hat Enterprise Linux
• SUSE
• Ubuntu

To protect your systems, you can apply a temporary mitigation by disabling vulnerable ESP modules through a module blacklist, matching the protections previously used for Dirty Frag. AlmaLinux and CloudLinux have already released patched kernels for supported releases. CloudLinux maintainers confirmed that customers who previously applied the Dirty Frag mitigation require no further action until patched kernels are fully deployed. Meanwhile, Red Hat is assessing if existing mitigations extend to CVE-2026-46300, and Ubuntu is currently evaluating its patch status across all releases.

The rapid succession of the Copy Fail, Dirty Frag, and Fragnesia vulnerabilities highlights a severe systemic issue in how complex kernel subsystems are maintained. The fact that Fragnesia was accidentally born from a Dirty Frag patch demonstrates that rushing fixes for deep kernel logic bugs often introduces entirely new attack vectors. With three local privilege escalation bugs emerging in just 14 days, enterprise environments are facing unprecedented patch fatigue.

Organizations must prioritize defense-in-depth strategies rather than relying solely on reactive patching. Relying on a single layer of security is no longer viable when the security updates themselves are breaking the kernel page cache. Until the mainline kernel review process for the netdev patch is completed, system administrators should strictly enforce module blacklisting to prevent unprivileged users from exploiting the XFRM ESP-in-TCP subsystem.