Fragnasia Linux – A new high-severity Linux kernel flaw, Fragnasia (CVE-2026-46300), can let local attackers gain root. Patches and stopgap module removals are available.
A new Linux kernel privilege-escalation flaw is moving quickly from research to real-world risk, with patches now rolling out across distributions and security teams urged to act fast.
Dubbed Fragnasia and tracked as CVE-2026-46300. the vulnerability is described as a high-severity logic bug in the Linux XFRM ESP-in-TCP subsystem.. The core problem is that it can let unprivileged local attackers achieve root privileges by writing arbitrary bytes into the kernel page cache of read-only files.
Fragnasia was uncovered by Zellic’s head of assurance, William Bowling, who also released a proof-of-concept.. The PoC is designed to create a kernel memory-write primitive. then use it to corrupt the page cache memory of /usr/bin/su on vulnerable systems.. With that targeted corruption in place, the exploit enables an attacker to obtain a root shell.
Bowling also placed Fragnasia within the broader “Dirty Frag” vulnerability class, a set of issues disclosed last week. According to the report, Dirty Frag includes publicly available proof-of-concept exploitation that can similarly allow local attackers to gain root on major Linux distributions.
The relationship between the two is important: while Dirty Frag and Fragnasia share the same overall attack surface and the mitigation guidance is the same. Dirty Frag is presented as a different bug that chains two separate kernel weaknesses.. In that chained scenario. attackers combine the xfrm-ESP Page-Cache Write vulnerability (CVE-2026-43284) with an RxRPC Page-Cache Write security issue (CVE-2026-43500) to escalate privileges by modifying protected system files in memory.
“Fragnesia is a member of the Dirty Frag vulnerability class,” Bowling said, emphasizing that it is a separate issue in the ESP/XFRM component that has received its own patch. The key operational message is that even though it’s distinct, the same general approach to mitigation is expected to apply.
The vulnerability’s mechanics, as described, do not rely on a race condition. Instead, it abuses the logic flaw to perform arbitrary byte writes into the kernel page cache of read-only files, which is one reason it’s treated as “universal” local privilege escalation across affected kernels.
In response, Linux users are advised to install the relevant kernel updates for their specific environment as soon as possible. For those who cannot patch immediately, the report provides a temporary mitigation intended to remove the vulnerable kernel modules for ESP4 and ESP6.
The suggested stopgap involves removing the esp4 and esp6 kernel modules and also disabling rxrpc. However, administrators are cautioned that taking this path will break IPsec VPN functionality. The commands listed are:
rmmod esp4 esp6 rxrpc
The guidance then adds that users should prevent the modules from loading by writing configuration entries to /etc/modprobe.d/dirtyfrag.conf:
printf ‘install esp4 /bin/falseninstall esp6 /bin/falseninstall rxrpc /bin/falsen’ > /etc/modprobe.d/dirtyfrag.conf
While these steps may reduce exposure, they come with operational trade-offs, making patching the preferred option once available from the distribution vendor.
Fragnasia’s disclosure lands while Linux developers and administrators are still working through another privilege escalation flaw that has been actively exploited in the wild.. At the same time, “Copy Fail,” another kernel-side issue, is already part of the operational urgency for many organizations.
The U.S.. cybersecurity agency added Copy Fail to its catalog of vulnerabilities exploited in attacks on May 1.. Federal agencies were also ordered to secure their Linux systems within a two-week window. with the deadline set for May 15. reflecting the speed at which publicly known exploitation can translate into pressure on enterprise fleets.
CISA warned that vulnerabilities of this type are a frequent attack vector for malicious cyber actors and carry serious risks for the federal enterprise.. The agency’s directive stresses applying mitigations per vendor instructions. following applicable BOD 22-01 guidance for cloud services. or discontinuing use of the product if mitigations are not available.
For defenders. this week reinforces a pattern: Linux privilege escalation chains tend to combine deep kernel behavior with predictable targets. and once public proofs-of-concept exist. time becomes a critical factor.. Even when a fix is underway across distributions, patching cadence differences can leave pockets of systems exposed.
The broader trend isn’t limited to these newest names. Earlier, Linux distributions patched a root-privilege escalation vulnerability dubbed Pack2TheRoot in the PackageKit daemon, described as something that had gone unnoticed for a decade before it was addressed.
Taken together. the sequence—from Pack2TheRoot to Dirty Frag and now Fragnasia. alongside Copy Fail—suggests a sustained wave of Linux-focused escalation research and exploitation.. For administrators. the immediate priority is clear: ensure kernel updates are applied for CVE-2026-46300. use the module-removal mitigation only where patching is not immediately possible. and keep an eye on the parallel vulnerabilities already being tracked as exploited or actively remediated.
Fragnasia CVE-2026-46300 Linux kernel privilege escalation Dirty Frag class IPsec module mitigation Copy Fail exploited flaw