{"id":8154,"date":"2026-05-14T20:29:38","date_gmt":"2026-05-14T20:29:38","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8154"},"modified":"2026-05-14T20:29:38","modified_gmt":"2026-05-14T20:29:38","slug":"meet-fragnesia-the-third-linux-kernel-vulnerability-in-a-month","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8154","title":{"rendered":"Meet Fragnesia, the third Linux kernel vulnerability in a month"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Linux admins reeling from handling last month\u2019s <a href=\"https:\/\/www.csoonline.com\/article\/4165824\/trivial-exploit-can-give-attackers-root-access-to-linux-kernel.html\" target=\"_blank\" rel=\"noopener\">CopyFail<\/a> and last week\u2019s<a href=\"https:\/\/www.csoonline.com\/article\/4169399\/new-dirty-frag-exploit-targets-linux-kernel-for-root-access.html\" target=\"_blank\" rel=\"noopener\"> Dirty Frag<\/a> kernel vulnerabilities have a new headache to deal with: Fragnesia.<\/p>\n<p>\u201cThis is a significant vulnerability,\u201d <a href=\"https:\/\/www.digitaldefence.ca\/company\/\" target=\"_blank\" rel=\"noopener\">Robert Beggs<\/a>, head of incident response firm DigitalDefence, told <em>CSO<\/em>. \u201cIt is bypassing traditional filesystem permissions that are present and enforced (for example, \u2018file is owned by root\u2019, or \u2018file is read-only\u2019) to allow manipulation without touching the disk.\u201d<\/p>\n<p>Similar to Dirty Frag, Fragnesia (CVE-2026-46300) is a local privilege escalation hole that exploits a vulnerability in the XFRM ESP-in-TCP subsystem to achieve a memory write primitive in the kernel. XFRM is an IP framework intended for packet transformations, and ESP-in-TCP (Encapsulating Security Payload in TCP) is a networking technique used to encapsulate IPsec ESP packets inside TCP segments.<\/p>\n<p>A proof of concept (PoC) exploit is already publicly available.<\/p>\n<p>The good news, Beggs said, is that the vulnerability can\u2019t be exploited remotely. An attacker needs local access to trigger specific code paths and be able to control local socket operations and manipulate packet fragmentation.<\/p>\n<p>Still, he added, any unprivileged user can exploit the bug on a vulnerable system to corrupt security-sensitive files in memory, such as privileged access management configuration, password, systemd service files, or cron jobs.\u00a0 Although the attacker cannot modify the file on the disk, modifying in-memory files can trick privileged processes, alter system behavior, execute arbitrary code, and escalate privileges on the system, he said.\u00a0<\/p>\n<p>Linux distributions including <a href=\"https:\/\/access.redhat.com\/security\/cve\/cve-2026-46300\" target=\"_blank\" rel=\"noopener\">Red Hat<\/a>, <a href=\"https:\/\/ubuntu.com\/security\/CVE-2026-46300\" target=\"_blank\" rel=\"noopener\">Ubuntu<\/a>, <a href=\"https:\/\/almalinux.org\/blog\/2026-05-13-fragnesia-cve-2026-46300\/\" target=\"_blank\" rel=\"noopener\">AlmaLinux<\/a> and others are pushing out patches or mitigations; <a href=\"https:\/\/blog.cloudlinux.com\/fragnesia-mitigation-and-kernel-update\" target=\"_blank\" rel=\"noopener\">CloudLinux said a patch is being tested<\/a>.<\/p>\n<p>In a statement to <em>CSO<\/em>, Mike McGrath, Red Hat\u2019s vice-president of Core Platforms, said issuing mitigations and fixes for privilege escalations like Fragnesia are a top priority. <\/p>\n<p>\u201cWe have published workarounds for the esp4 and esp6 kernel modules that we feel provide protection to customers in the immediate term while we work with the upstream community to identify a permanent fix in the form of a patch,\u201d he said.<\/p>\n<p>According to Linux support provider TuxCare, systems running the affected <em>skbuff<\/em> code paths, including kernels that have already received the Dirty Frag fix, are impacted. The public PoC requires\u00a0systems with the configuration option <em>CONFIG_INET_ESPINTCP<\/em>\u00a0to access the bug, so kernels built without it block this exploit. But the underlying\u00a0<em>skbuff<\/em>\u00a0defect may be reachable through other paths.\u00a0<\/p>\n<p><a href=\"https:\/\/x.com\/MsftSecIntel\/status\/2054701609024934064\" target=\"_blank\" rel=\"noopener\">Microsoft urges<\/a> Linux users and organizations to apply the patch as soon as possible by running update tools. If patching is not possible at this point, consider applying the same mitigations as for Dirty Frag, such as assessing whether esp4, esp6, and related xfrm\/IPsec functionality can be temporarily disabled safely, restricting unnecessary local shell access, hardening containerized workloads, and increasing monitoring for abnormal privilege escalation activity.<\/p>\n<p><strong>Related content: <a href=\"https:\/\/www.csoonline.com\/article\/4169659\/linux-kernel-maintainers-suggest-a-kill-switch-to-protect-systems-until-a-zero-day-vulnerability-is-patched.html\" target=\"_blank\" rel=\"noopener\">Kill switch for Linux kernel features proposed to improve security<\/a><\/strong><\/p>\n<p>Beggs advises system administrators to confirm kernel exposure by reviewing version numbers, and then update to a patched kernel if necessary and reboot the affected system.\u00a0If ESP-in-TCP is not required, disable the module and block its use; this mitigation can also be immediately applied until patching is complete.\u00a0Because the vulnerability requires local access, make sure that basic steps such as enforcing MFA for privileged accounts, disabling of unneeded shell access, and enforcing least privilege are all in place.<\/p>\n<p>Beggs also said admins may wish to increase monitoring of privileged processes (PAM, systemd, cron) and look for unexpected restarts, unexpected config reloads, and sudden privilege escalations.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Linux admins reeling from handling last month\u2019s CopyFail and last week\u2019s Dirty Frag kernel vulnerabilities have a new headache to deal with: Fragnesia. \u201cThis is a significant vulnerability,\u201d Robert Beggs, head of incident response firm DigitalDefence, told CSO. \u201cIt is bypassing traditional filesystem permissions that are present and enforced (for example, \u2018file is owned by [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":8155,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8154","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8154"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8154"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8154\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8155"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8154"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8154"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8154"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}