Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Oracle E-Business Suite CVE-2024-21094 exploited, exposing 900+ instances
July 2, 2026
Fake VLC Installer Delivers ValleyRAT Malware
July 2, 2026
Microsoft Outlook Bug Removes Copilot Button for Windows Users
July 2, 2026
Home/CyberSecurity News/Critical Fragnesia Linux Vulnerability Lets Attackers Gain Root Privileges
CyberSecurity News

Critical Fragnesia Linux Vulnerability Lets Attackers Gain Root Privileges

Key Takeaways A new Linux kernel vulnerability, dubbed Fragnesia, allows local unprivileged users to escalate privileges to root. The exploit, CVE-2026-XXXX, affects all Linux kernels released before...

Emy Elsamnoudy
Emy Elsamnoudy
May 13, 2026 3 Min Read
55 0

Key Takeaways

  • A new Linux kernel vulnerability, dubbed Fragnesia, allows local unprivileged users to escalate privileges to root.
  • The exploit, CVE-2026-XXXX, affects all Linux kernels released before May 13, 2026.
  • Fragnesia does not rely on a race condition, making it a highly reliable local privilege escalation method.
  • A patch is available upstream, and immediate application is strongly recommended.

A recently uncovered critical vulnerability within the Linux kernel, dubbed “Fragnesia,” grants local unprivileged users the ability to escalate their privileges to root. This exploit is particularly concerning due to its reliability; unlike many privilege escalation bugs, Fragnesia does not require a race condition to succeed, a characteristic that makes it one of the more potent local privilege escalation exploits identified in recent years.

Table Of Content

  • Key Takeaways
  • How Fragnesia Operates
  • Affected Versions and Mitigation
  • What You Should Do

Discovered by William Bowling of the V12 security team, Fragnesia marks another entry in a growing category of dangerous kernel flaws that fundamentally challenge established Linux security paradigms.

Fragnesia is categorized as a “Dirty Frag” class vulnerability, sharing conceptual lineage with well-known exploits like Dirty Pipe and Copy Fail. However, it targets a distinct logical flaw specifically within the Linux XFRM ESP-in-TCP subsystem.

The name “Fragnesia” itself alludes to the vulnerability’s mechanism: the kernel “forgets” that a memory fragment is shared during a process known as socket buffer coalescing. This oversight leads to memory corruption in areas the kernel was never intended to modify.

How Fragnesia Operates

The exploit leverages a subtle logic error in the way the Linux kernel manages the ESP-in-TCP ULP (Upper Layer Protocol) mode.

Specifically, when a TCP socket transitions to espintcp ULP after file data has already been spliced into its receive queue, the kernel erroneously interprets these pre-queued file pages as ESP ciphertext. This misinterpretation results in a single AES-GCM keystream byte being XORed directly into a read-only file’s kernel page cache, critically, without requiring any race condition.

By meticulously selecting an Initialization Vector (IV) nonce, an attacker can generate any desired keystream byte. This allows them to flip any single byte within a cached file to any chosen value, one byte per exploit trigger. The exploit constructs a 256-entry lookup table, mapping all possible keystream bytes to their corresponding nonces. It then iterates over a malicious payload, systematically overwriting the initial 192 bytes of /usr/bin/su within the page cache. This overwrite replaces the legitimate code with a small ELF stub designed to execute setresuid(0,0,0) and subsequently launch /bin/sh.

Crucially, the underlying binary file on disk remains entirely unaltered. Only the in-memory page cache is modified by this attack.

Affected Versions and Mitigation

Every Linux kernel version affected by the broader Dirtyfrag vulnerability class is susceptible to Fragnesia. This includes virtually all kernel versions released prior to May 13, 2026. While the necessary patch has been submitted upstream, systems that remain unpatched are critically exposed.

A public proof-of-concept (PoC) is already available on GitHub, significantly lowering the technical barrier for potential attackers.

What You Should Do

  • Apply Patches Immediately: Organizations running Linux servers must prioritize applying the upstream patch as soon as possible.
  • Unload Modules (Temporary Mitigation): Until patching is feasible, administrators should immediately unload the affected ESP modules. This can be achieved by executing:
    rmmod esp4 esp6 rxrpc
    printf 'install esp4 /bin/falseninstall esp6 /bin/falseninstall rxrpc /bin/falsen' > /etc/modprobe.d/dirtyfrag.conf
  • Flush Page Cache Post-Exploitation: If an exploit is suspected or has occurred, be aware that the modified /usr/bin/su in the page cache will continue to spawn root shells until the cache is cleared. Administrators must run echo 1 | tee /proc/sys/vm/drop_caches or reboot the system before leaving any affected machine unattended.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitPatchSecurityVulnerability

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Foxconn Confirms Cyberattack After Nitrogen Ransomware Claim

Next Post

SOCs and MSSPs Combat Phishing Attacks Email Filters Miss

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
ValleyRAT Malware Uses Malicious VLC DLL to Attack Systems
July 2, 2026
Cisco Catalyst Center Vulnerability Allows Remote Attackers to Read Arbitrary Files
July 2, 2026
Mapbox Flaw Lets Hackers Target Vulnerability Researchers with Python RAT
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us