Fragnesia Linux LPE: One Line Roots Your Kernel—Patch Now Before the Page Cache Betrays You + Video

Listen to this Post

Featured Image

Introduction

A newly disclosed Linux kernel local privilege escalation (LPE) vulnerability, tracked as CVE-2026-46300 and dubbed “Fragnesia,” allows an unprivileged local attacker to gain immediate root access by corrupting the kernel page cache of read‑only files. This critical flaw resides in the Linux XFRM ESP‑in‑TCP subsystem and, like its predecessor Dirty Frag, achieves root privileges deterministically without requiring any race conditions. The disclosure of a public Proof‑of‑Concept (PoC) exploit on GitHub turns every vulnerable Linux system with an untrusted local user into a potential root‑compromised host—making patching an absolute emergency.

Learning Objectives

  • Understand the root cause of Fragnesia (CVE‑2026‑46300) and how it abuses the kernel page cache.
  • Learn to detect vulnerable systems and apply immediate mitigation commands.
  • Master step‑by‑step procedures for patching, verifying fixes, and cleaning up after exploitation.

You Should Know

1. The “Fragnesia” Vulnerability Deep Dive

Fragnesia belongs to the Dirty Frag vulnerability class and is introduced by a logic error in the Linux kernel’s XFRM ESP‑in‑TCP subsystem. The core issue lies in the `skb_try_coalesce()` function: when network data fragments are merged, the kernel fails to propagate the `SKBFL_SHARED_FRAG` marker, losing track that a fragment is backed by page‑cache pages (e.g., from a file spliced into a socket). As a result, the ESP‑in‑TCP receive path performs in‑place AES‑GCM decryption directly on those shared page‑cache pages, allowing an unprivileged process to XOR a chosen keystream byte into any readable file’s page‑cache copy.

The attack flow works as follows:

  1. Create user and network namespaces to acquire `CAP_NET_ADMIN` privileges.
  2. Install an IPsec ESP Security Association (SA) with a known AES‑128‑GCM key.
  3. Build a 256‑entry lookup table mapping each possible keystream byte to an IV nonce using the `AF_ALG` crypto interface.
  4. Splice data from the target file (e.g., /usr/bin/su) into a TCP socket’s receive queue.
  5. Transition the socket to `espintcp` ULP (Upper Layer Protocol) mode, forcing the kernel to treat the queued file pages as ESP ciphertext.
  6. For each payload byte, send crafted ESP packets that cause the kernel to XOR the desired keystream byte at a specific offset into the file’s page‑cache copy.
  7. Once the first 192 bytes of `/usr/bin/su` are overwritten with a small ELF stub that calls `setresuid(0,0,0)` and execve(“/bin/sh”), execute the corrupted binary to spawn a root shell.

This technique requires no race condition, making exploitation highly stable and reliable. Moreover, the on‑disk binary remains untouched—only the in‑memory page cache is corrupted, evading traditional disk‑based security scans.

  1. Detection: Check If Your Linux System Is Vulnerable

Because the vulnerability exists in the kernel’s networking stack, the first step is to determine your kernel version and verify whether the vulnerable modules (esp4, esp6, rxrpc) are loaded. All Linux kernels before May 13, 2026 are affected, including most enterprise distributions (RHEL, Ubuntu, AlmaLinux, Debian, etc.).

Run these commands on any Linux system:

 Check kernel version
uname -r

Check distribution details
cat /etc/os-release

List loaded modules; if any of esp4, esp6, rxrpc appear, the system is vulnerable
lsmod | grep -E '^(esp4|esp6|rxrpc)'

If your kernel is older than the patched versions listed by your vendor, or if the above modules are present, your system is at immediate risk. The public PoC can be tested (only on your own authorized systems) with a single line:

git clone https://github.com/v12-security/pocs.git && cd pocs/fragnesia && gcc -o exp fragnesia.c && ./exp

On Ubuntu systems with default AppArmor, you may need to temporarily disable the user namespace restriction:

sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0

After the exploit runs successfully, any subsequent execution of `su` will re‑spawn a root shell until the page cache is dropped.

3. Immediate Mitigation: Disable Vulnerable Modules

If you cannot apply a full kernel patch immediately, the same mitigation that worked for Dirty Frag also blocks Fragnesia. This involves blacklisting and unloading the esp4, esp6, and `rxrpc` kernel modules.

Step‑by‑step mitigation commands:

 Remove the modules from the running kernel
sudo rmmod esp4 esp6 rxrpc

Prevent modules from loading on future boots
sudo printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/fragnesia.conf

Verify modules are no longer loaded
lsmod | grep -E '^(esp4|esp6|rxrpc)'

Important caveats:

  • Disabling these modules will break IPsec VPNs (e.g., StrongSwan) and the AFS distributed filesystem. Do not apply this mitigation on systems where IPsec is critical unless you have a fallback plan.
  • The mitigation does not revert any existing page‑cache corruption. If you suspect the system may have been targeted, clear the page cache after mitigation:
sudo sh -c "echo 3 > /proc/sys/vm/drop_caches"

A reboot is even safer, as it ensures all page‑cache entries are reloaded from disk.

4. Patching: Apply the Official Kernel Update

Most major Linux distributions have already released patched kernels or are in the process of backporting the upstream fix. The upstream patch, titled [PATCH net] net: skbuff: preserve shared‑frag marker during coalescing, was posted to the netdev mailing list on May 13, 2026.

Update commands for common distributions:

| Distribution | Command(s) |

|–|-|

| Ubuntu / Debian | `sudo apt update && sudo apt upgrade linux-image-generic` |
| RHEL / CentOS / AlmaLinux | `sudo yum update kernel` |

| Fedora | `sudo dnf update kernel` |

| openSUSE | `sudo zypper patch` |

| Arch Linux | `sudo pacman -Syu linux` |

After updating, reboot to load the new kernel and verify the fix:

 Reboot
sudo reboot

After reboot, check kernel version (should be >= May 13 2026)
uname -r

Ensure vulnerable modules are not present
lsmod | grep -E '^(esp4|esp6|rxrpc)'

For live‑patching without reboot, commercial solutions like KernelCare have already released rebootless patches for CloudLinux 9 and AlmaLinux 9 ELS.

5. Advanced Detection: System Hardening and Monitoring

Because Fragnesia modifies only the page cache, traditional file‑integrity monitoring (e.g., AIDE, Tripwire) on disk will not detect the corruption. To detect potential exploitation, you should monitor system behavior for anomalies:

  • Monitor for unusual `su` execution: After exploitation, `/usr/bin/su` acts as a root backdoor. Use `auditd` to log all executions:
sudo auditctl -w /usr/bin/su -p x -k su_execution
sudo ausearch -k su_execution --raw | aureport -f -i
  • Watch for namespace and XFRM activity: The exploit requires creating network namespaces and manipulating XFRM policies. Use `bpftrace` or `strace` to trace system calls:
sudo bpftrace -e 'kprobe:unshare { printf("unshare() called by pid %d\n", pid); }'
  • Drop page caches periodically on high‑risk systems:
echo 3 | sudo tee /proc/sys/vm/drop_caches  or schedule via cron
  1. If You Have Already Applied the Dirty Frag Mitigation

Good news: Systems that have already blacklisted esp4, esp6, and `rxrpc` for Dirty Frag are also protected against Fragnesia because the vulnerable modules are already disabled. No additional action is required until you apply the permanent kernel patch.

However, do not assume that the Dirty Frag patch alone fixes Fragnesia. The two vulnerabilities are distinct: Dirty Frag required chaining two separate CVEs, while Fragnesia is a single‑bug exploit. Only the upstream patch that corrects the `SKBFL_SHARED_FRAG` propagation fully resolves Fragnesia.

7. Cleanup After a Successful Exploit

If you run the PoC or suspect your system has been exploited, dropping the page cache is mandatory; otherwise, the modified `/usr/bin/su` will keep spawning root shells.

 Immediately drop all page cache
sudo sh -c "echo 3 > /proc/sys/vm/drop_caches"

Optionally, reinstall the su binary from the package manager
sudo apt reinstall login  Debian/Ubuntu
sudo yum reinstall coreutils  RHEL/CentOS

Reboot the system to ensure no stale page‑cache entries remain. After reboot, verify that the checksum of `/usr/bin/su` matches the package original:

md5sum /usr/bin/su
dpkg -V login  Debian/Ubuntu, will report modified files

What Undercode Say

  • Deterministic, race‑condition‑free exploitation makes Fragnesia a post‑exploitation goldmine. Unlike older LPEs like Dirty COW, this flaw succeeds on the first attempt without kernel panics, dramatically increasing the value of any initial low‑privileged foothold.
  • The page‑cache attack surface is becoming the new frontier of Linux kernel LPE. Fragnesia, Copy Fail, and Dirty Frag all target the same core mechanism: corrupting read‑only file pages in memory. Traditional security tools that scan on‑disk files are blind to these attacks, requiring a paradigm shift toward memory‑aware detection.

Prediction

Fragnesia marks a dangerous turning point for Linux kernel security. The fact that a patch for Dirty Frag accidentally activated this new bug (per Hyunwoo Kim) highlights how fragile the kernel’s networking stack has become—one fix spawns another flaw. Expect a wave of similar “forgotten shared‑frag” vulnerabilities to surface in the coming months as researchers fuzz the same code paths. Meanwhile, threat actors will quickly integrate the public PoC into automated Linux rootkits and container escape toolkits, making unpatched multi‑tenant clouds and CI/CD environments prime targets. Organizations that rely on IPsec VPNs face a painful choice: stay vulnerable or break production networking. The only safe path forward is aggressive patching and re‑evaluating the risk of allowing unprivileged users to create namespaces.

▶️ Related Video (78% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Divya Kumari – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky