Linux distros are rolling out patches for a new high-severity kernel privilege escalation vulnerability that allows attackers to run malicious code as root.
Known as Fragnasia and tracked as CVE-2026-46300, this security flaw stems from a logic bug in the Linux XFRM ESP-in-TCP subsystem that can enable unprivileged local attackers to gain root privileges by writing arbitrary bytes to the kernel page cache of read-only files.
Zellic’s head of assurance, William Bowling, who discovered this new universal local privilege escalation flaw, also shared a proof-of-concept (PoC) exploit that achieves a memory-write primitive in the kernel that is used to corrupt the page cache memory of the /usr/bin/su binary to get a shell with root privileges on vulnerable systems.
Bowling said this flaw belongs to the Dirty Frag vulnerability class, which was disclosed last week, and affects all Linux kernels released before May 13, 2026. Just as Fragnasia, Dirty Frag has a publicly available PoC exploit that local attackers can use to gain root privileges on major Linux distributions.
However, Dirty Frag works by chaining two separate kernel flaws, the xfrm-ESP Page-Cache Write vulnerability (CVE-2026-43284) and a RxRPC Page-Cache Write security issue (CVE-2026-43500), to achieve privilege escalation by modifying protected system files in memory.
“Fragnesia is a member of the Dirty Frag vulnerability class. This is a separate bug in the ESP/XFRM from dirtyfrag which has received its own patch. However, it is in the same surface and the mitigation is the same as for dirtyfrag,” Bowling said.
“It abuses a logic bug in the Linux XFRM ESP-in-TCP subsystem to achieve arbitrary byte writes into the kernel page cache of read-only files, without requiring any race condition.”
another day, another universal linux LPE https://t.co/GANYkAJwZS pic.twitter.com/XfzTsmg7kl
— V12 (@v12sec) May 13, 2026
To secure systems against attacks, Linux users are advised to apply kernel updates for their environment as soon as possible.
Those who can’t immediately patch their devices should use the same mitigation used for Dirty Frag commands to remove vulnerable kernel modules (however, it’s important to note that this will break AFS distributed network file systems and IPsec VPNs):
rmmod esp4 esp6 rxrpc
printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf
Fragnasia’s disclosure comes as Linux distros are still rolling out patches for “Copy Fail,” another privilege escalation vulnerability now actively exploited in the wild.
CISA added Copy Fail to its catalog of flaws exploited in attacks on May 1 and ordered federal agencies to secure their Linux systems within two weeks, by May 15.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” the U.S. cybersecurity agency warned. “Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”
In April, Linux distros patched another root-privilege escalation vulnerability (dubbed Pack2TheRoot) in the PackageKit daemon that had gone unnoticed for a decade.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
