A third local privilege escalation vulnerability in the Linux kernel was publicly disclosed Wednesday, with researcher William Bowling of the V12 security team releasing details of CVE-2026-46300, dubbed “Fragnesia.” The flaw exploits a logic bug in the kernel’s XFRM ESP-in-TCP subsystem to corrupt the kernel page cache, enabling an unprivileged local attacker to gain root access without triggering a race condition. Patches are available for all major Linux distributions at time of disclosure; no in-the-wild exploitation has been observed.
CVE-2026-46300: Logic Bug in Linux’s XFRM ESP-in-TCP Subsystem
Fragnesia differs from many privilege escalation vulnerabilities in that it requires no race condition to reliably exploit. The flaw is a logic bug — an incorrect sequence of operations in the XFRM ESP-in-TCP subsystem that produces a deterministic outcome rather than one that depends on precise timing. This distinction matters because race-condition-dependent exploits often fail on real hardware due to scheduling variability, reducing their practical reliability in targeted attacks. Fragnesia, by contrast, executes consistently.
The vulnerability was identified by William Bowling of the V12 security team, who also disclosed the technical mechanism linking the ESP-in-TCP subsystem to the kernel page cache corruption that enables privilege escalation.
How Fragnesia Corrupts /usr/bin/su to Achieve Root Access
The logic bug in the XFRM ESP-in-TCP subsystem enables an attacker to write arbitrary bytes into the kernel page cache of files that are read-only on disk. By targeting /usr/bin/su — the standard Unix binary for switching user credentials — an attacker can corrupt the in-memory cached version of that binary without modifying the on-disk file. When the corrupted version of su is subsequently executed, the injected payload runs with elevated privileges, delivering root access to the attacker.
This exploitation path requires only a local shell session — no network access, no service exploitation, no interaction from other users. Any unprivileged process running on a vulnerable kernel can leverage the bug to escalate to root by manipulating the page cache entry for a target binary.
Fragnesia, Dirty Frag, and Copy Fail: A Cluster of Linux Page Cache Bugs
Fragnesia is the third in a series of Linux kernel privilege escalation vulnerabilities affecting the kernel page cache that have been disclosed in close succession. The preceding two were Dirty Frag, tracked as CVE-2026-46299, and Copy Fail. All three exploit behavior in or around the kernel’s page cache handling, a memory subsystem responsible for caching disk contents in RAM to accelerate I/O operations.
The clustering of three related bugs in a shared exploitation surface within a short disclosure window has prompted calls for deeper security review of the page cache subsystem. Bowling noted that organizations already running mitigations for Dirty Frag — CVE-2026-46299 — require no additional immediate action, as those mitigations cover Fragnesia’s exploitation path as well.
Affected Distributions and Patch Availability for CVE-2026-46300
CVE-2026-46300 affects a broad set of major Linux distributions: AlmaLinux, Amazon Linux, CloudLinux, Debian, Gentoo, Red Hat Enterprise Linux, SUSE, and Ubuntu. At the time of Bowling’s disclosure, all of these distributions had patches available through their respective update channels.
Two alternative mitigations are documented for systems where kernel updates cannot be applied immediately. Disabling esp4 and esp6 kernel modules removes the XFRM ESP-in-TCP code path entirely, eliminating the attack surface for CVE-2026-46300. Restricting local shell access — tightening which accounts can execute interactive shell sessions — reduces the pool of potential attackers who could reach the vulnerable code path.
Neither Fragnesia nor its predecessors Dirty Frag and Copy Fail have been observed in active exploitation campaigns. However, the deterministic nature of Fragnesia’s exploitation — no race condition, consistent results — lowers the technical bar for integrating this flaw into post-exploitation toolkits. Organizations running affected kernels without endpoint detection for local privilege escalation attempts should treat this as a priority patch cycle item.
