Linux distros are rolling out patches for a brand new high-severity kernel privilege escalation vulnerability that enables attackers to run malicious code as root.
Referred to as Fragnasia and tracked as CVE-2026-46300, this safety flaw stems from a logic bug within the Linux XFRM ESP-in-TCP subsystem that may allow unprivileged native attackers to achieve root privileges by writing arbitrary bytes to the kernel web page cache of read-only information.
Zellic’s head of assurance, William Bowling, who found this new common native privilege escalation flaw, additionally shared a proof-of-concept (PoC) exploit that achieves a memory-write primitive within the kernel that’s used to deprave the web page cache reminiscence of the /usr/bin/su binary to get a shell with root privileges on susceptible methods.
Bowling stated this flaw belongs to the Soiled Frag vulnerability class, which was disclosed final week, and impacts all Linux kernels launched earlier than Might 13, 2026. Simply as Fragnasia, Soiled Frag has a publicly accessible PoC exploit that native attackers can use to achieve root privileges on main Linux distributions.
Nevertheless, Soiled Frag works by chaining two separate kernel flaws, the xfrm-ESP Web page-Cache Write vulnerability (CVE-2026-43284) and a RxRPC Web page-Cache Write safety situation (CVE-2026-43500), to attain privilege escalation by modifying protected system information in reminiscence.
“Fragnesia is a member of the Soiled Frag vulnerability class. It is a separate bug within the ESP/XFRM from dirtyfrag which has obtained its personal patch. Nevertheless, it’s in the identical floor and the mitigation is similar as for dirtyfrag,” Bowling stated.
“It abuses a logic bug within the Linux XFRM ESP-in-TCP subsystem to attain arbitrary byte writes into the kernel web page cache of read-only information, with out requiring any race situation.”
one other day, one other common linux LPE https://t.co/GANYkAJwZS pic.twitter.com/XfzTsmg7kl
— V12 (@v12sec) Might 13, 2026
To safe methods towards assaults, Linux customers are suggested to use kernel updates for his or her setting as quickly as potential.
Those that cannot instantly patch their gadgets ought to use the next instructions to take away the susceptible esp4 and esp6 kernel modules (nevertheless, it is essential to notice that it will break IPsec VPNs):
rmmod esp4 esp6 rxrpc
printf 'set up esp4 /bin/falseninstall esp6 /bin/falseninstall rxrpc /bin/falsen' > /and so on/modprobe.d/dirtyfrag.conf
Fragnasia’s disclosure comes as Linux distros are nonetheless rolling out patches for “Copy Fail,” one other privilege escalation vulnerability now actively exploited within the wild.
CISA added Copy Fail to its catalog of flaws exploited in assaults on Might 1 and ordered federal companies to safe their Linux methods inside two weeks, by Might 15.
“Such a vulnerability is a frequent assault vector for malicious cyber actors and poses vital dangers to the federal enterprise,” the U.S. cybersecurity company warned. “Apply mitigations per vendor directions, comply with relevant BOD 22-01 steering for cloud companies, or discontinue use of the product if mitigations are unavailable.”
In April, Linux distros patched one other root-privilege escalation vulnerability (dubbed Pack2TheRoot) within the PackageKit daemon that had gone unnoticed for a decade.
AI chained 4 zero-days into one exploit that bypassed each renderer and OS sandboxes. A wave of latest exploits is coming.
On the Autonomous Validation Summit (Might 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls maintain, and closes the remediation loop.
