Critical Fragnesia Linux Vulnerability Lets Attackers Gain Root Privileges
Key Takeaways A new Linux kernel vulnerability, dubbed Fragnesia, allows local unprivileged users to escalate privileges to root. The exploit, CVE-2026-XXXX, affects all Linux kernels released before...
Key Takeaways
- A new Linux kernel vulnerability, dubbed Fragnesia, allows local unprivileged users to escalate privileges to root.
- The exploit, CVE-2026-XXXX, affects all Linux kernels released before May 13, 2026.
- Fragnesia does not rely on a race condition, making it a highly reliable local privilege escalation method.
- A patch is available upstream, and immediate application is strongly recommended.
A recently uncovered critical vulnerability within the Linux kernel, dubbed “Fragnesia,” grants local unprivileged users the ability to escalate their privileges to root. This exploit is particularly concerning due to its reliability; unlike many privilege escalation bugs, Fragnesia does not require a race condition to succeed, a characteristic that makes it one of the more potent local privilege escalation exploits identified in recent years.
Table Of Content
Discovered by William Bowling of the V12 security team, Fragnesia marks another entry in a growing category of dangerous kernel flaws that fundamentally challenge established Linux security paradigms.
Fragnesia is categorized as a “Dirty Frag” class vulnerability, sharing conceptual lineage with well-known exploits like Dirty Pipe and Copy Fail. However, it targets a distinct logical flaw specifically within the Linux XFRM ESP-in-TCP subsystem.
The name “Fragnesia” itself alludes to the vulnerability’s mechanism: the kernel “forgets” that a memory fragment is shared during a process known as socket buffer coalescing. This oversight leads to memory corruption in areas the kernel was never intended to modify.
How Fragnesia Operates
The exploit leverages a subtle logic error in the way the Linux kernel manages the ESP-in-TCP ULP (Upper Layer Protocol) mode.
Specifically, when a TCP socket transitions to espintcp ULP after file data has already been spliced into its receive queue, the kernel erroneously interprets these pre-queued file pages as ESP ciphertext. This misinterpretation results in a single AES-GCM keystream byte being XORed directly into a read-only file’s kernel page cache, critically, without requiring any race condition.
By meticulously selecting an Initialization Vector (IV) nonce, an attacker can generate any desired keystream byte. This allows them to flip any single byte within a cached file to any chosen value, one byte per exploit trigger. The exploit constructs a 256-entry lookup table, mapping all possible keystream bytes to their corresponding nonces. It then iterates over a malicious payload, systematically overwriting the initial 192 bytes of /usr/bin/su within the page cache. This overwrite replaces the legitimate code with a small ELF stub designed to execute setresuid(0,0,0) and subsequently launch /bin/sh.
Crucially, the underlying binary file on disk remains entirely unaltered. Only the in-memory page cache is modified by this attack.
Affected Versions and Mitigation
Every Linux kernel version affected by the broader Dirtyfrag vulnerability class is susceptible to Fragnesia. This includes virtually all kernel versions released prior to May 13, 2026. While the necessary patch has been submitted upstream, systems that remain unpatched are critically exposed.
A public proof-of-concept (PoC) is already available on GitHub, significantly lowering the technical barrier for potential attackers.
What You Should Do
- Apply Patches Immediately: Organizations running Linux servers must prioritize applying the upstream patch as soon as possible.
- Unload Modules (Temporary Mitigation): Until patching is feasible, administrators should immediately unload the affected ESP modules. This can be achieved by executing:
rmmod esp4 esp6 rxrpc printf 'install esp4 /bin/falseninstall esp6 /bin/falseninstall rxrpc /bin/falsen' > /etc/modprobe.d/dirtyfrag.conf - Flush Page Cache Post-Exploitation: If an exploit is suspected or has occurred, be aware that the modified
/usr/bin/suin the page cache will continue to spawn root shells until the cache is cleared. Administrators must runecho 1 | tee /proc/sys/vm/drop_cachesor reboot the system before leaving any affected machine unattended.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.