Illustration of a hacker exploiting a Linux kernel flaw by corrupting a page cache file to gain root access, with system files and privilege levels visually disrupted.
Illustration of a hacker exploiting a Linux kernel flaw by corrupting a page cache file to gain root access, with system files and privilege levels visually disrupted.

This exploit bypasses prior mitigations, useful context for a colleague managing Linux infrastructure.

New Linux Flaw Lets Attackers Gain Root Story flow and key facts

A new local privilege escalation (LPE) vulnerability in the Linux kernel, named Fragnesia and tracked as CVE-2026-46300, allows unprivileged attackers to gain root access by corrupting the kernel's page cache. Discovered by V12 security researcher William Bowling, the flaw resides in the XFRM ESP-in-TCP subsystem and enables deterministic write access to read-only files—bypassing earlier mitigations for similar bugs like Dirty Frag. The exploit modifies the page cache of /usr/bin/su, allowing immediate root escalation on major Linux distributions including Ubuntu, Red Hat, and Debian.

Multiple vendors, including CloudLinux, Amazon Linux, and SUSE, have issued advisories. While patches are available, organizations that applied mitigations for Dirty Frag may remain vulnerable, as Fragnesia exploits the same attack surface with a different logic flaw. Microsoft and Wiz recommend disabling esp4, esp6, and IPsec-related functions if patching isn't immediately possible, along with tightening local shell access and monitoring for unusual privilege changes.

Although no active exploitation has been observed, a threat actor named 'berz0k' is advertising a separate zero-day Linux LPE exploit on cybercrime forums for $170,000, raising concerns about potential overlap or market saturation of such vulnerabilities. Researchers stress that timely patching remains the most effective defense.

Facts

  • Fragnesia (CVE-2026-46300) is a Linux kernel LPE vulnerability with a CVSS score of 7.8.
  • It allows unprivileged attackers to gain root by corrupting the page cache of read-only files via the XFRM ESP-in-TCP subsystem.
  • Discovered by William Bowling of V12, a proof-of-concept exploit has been released.
  • Major Linux distributions including Red Hat, Ubuntu, and Debian have issued advisories.
  • No in-the-wild exploitation has been observed, but a patch is available and recommended.
  • A threat actor is selling a separate zero-day Linux LPE exploit for $170,000 on cybercrime forums.

Canto visual news explainer. AI tools may assist production. Editorial policy