Fragnesia (CVE-2026-46300): The Linux Kernel LPE That the Dirty Frag Patch Accidentally Created — Three Root Exploits in Two Weeks

Sources: The Hacker News (Wiz) · Tenable RSO · TuxCare · Help Net Security · NSFOCUS CERT · SOCPrime · LinuxTeck · William Bowling / Zellic / V12 Security · CloudLinux · Microsoft | CVE: CVE-2026-46300 | CVSS: 7.8 High | PoC: Public — no embargo | Disclosed: May 13–14, 2026

A patch created the next exploit

Last week the Linux kernel community shipped a patch for Dirty Frag — a serious local privilege escalation in the XFRM ESP-in-TCP subsystem. Organizations scrambled to apply it. And in doing so, many unknowingly activated a second, previously latent vulnerability in the same codebase that became exploitable specifically because of how the Dirty Frag fix changed the kernel’s behavior.

On May 13–14, 2026, William Bowling of Zellic and the V12 Security team disclosed CVE-2026-46300, codenamed Fragnesia — a new Linux kernel local privilege escalation in the same XFRM ESP-in-TCP subsystem. The name refers to how the kernel socket buffer “forgets” that a fragment is shared during coalescing. A working public proof-of-concept was released the same day, with zero embargo. Any unprivileged local user on a vulnerable system can write arbitrary bytes into the kernel’s page cache of read-only files — including setuid binaries like /usr/bin/su — and obtain a root shell. No race condition. Deterministic. Every major Linux distribution is affected.

This is the third Linux kernel LPE in two weeks — after Copy Fail (CVE-2026-31431, CISA KEV) and Dirty Frag (CVE-2026-43284/43500). Security professionals are openly frustrated. Cybernews captured the mood: “Patching one Linux kernel critical exploit spawns another: a third vulnerability in two weeks. Security professionals are frustrated with disclosures dropping without embargoes for defenders to prepare.”

How the Dirty Frag patch spawned Fragnesia

The fix for Dirty Frag CVE-2026-43284 modified how the kernel tracks shared memory fragments during socket buffer coalescing in skb_try_coalesce(). This changed the execution path in a way that made a previously unreachable code branch exploitable under a new condition. Hyunwoo Kim — who originally discovered Dirty Frag — confirmed that Fragnesia was “accidentally activated” by the CVE-2026-43284 patch. William Bowling’s upstream fix explicitly cites the Dirty Frag fix commit (f4c50a4034e6) as one of the two commits it “fixes.”

Specifically: when a TCP socket transitions into espintcp mode after file-backed data has already been spliced into its receive queue, the kernel can now treat those queued file pages as ESP ciphertext and route them through the decrypt path — a condition introduced by the Dirty Frag patch. The decrypt path then performs controlled writes back into those file-backed page cache pages. The attacker controls IV values to make those writes land at attacker-chosen offsets.

The technical root cause: a missing flag, an unguarded write

The SKBFL_SHARED_FRAG flag marks socket buffer fragments shared with other subsystems — telling the kernel these pages must not be written to directly. During skb_try_coalesce(), this flag fails to propagate from source to destination fragment. The merged socket buffer loses the marker. Without it, the kernel’s ESP-in-TCP decrypt path treats underlying file-cache-backed pages as regular writable buffers.

An attacker constructs a specific splice + ULP trigger sequence that routes file-backed page cache pages through the ESP decrypt path. By controlling IV values, the attacker produces deterministic, byte-precise writes into the in-memory representation of any readable file — without touching the on-disk copy. The public PoC targets /usr/bin/su: it writes a small ELF stub into the cached memory so the next su invocation runs attacker-controlled code as root. The binary on disk remains clean. File integrity monitoring sees nothing.

No race condition — and why that matters operationally

Race-condition exploits often fail in busy production systems due to scheduling noise. Deterministic exploits work reliably regardless of system load or hardware. Fragnesia’s page-cache write is deterministic — fire the splice + ULP sequence and the write lands exactly where intended, every time, across all affected kernels and distros. Combined with the public PoC and zero disclosure embargo, any attacker with local access — through a compromised application, stolen SSH key, or CI job — can achieve root from the published code with minimal adaptation.

Container escape: “local” is not contained

Like Copy Fail, Fragnesia is a container escape primitive. The Linux page cache is shared across all processes on a host — including across container boundaries. Wiz confirmed that privileged containers are not required. An unprivileged container with user namespace creation enabled — standard for rootless Docker, rootless Podman, and many CI runner configurations — is sufficient to exploit the host kernel. Every Kubernetes node, container build farm, and shared CI runner where untrusted workloads execute is potentially exposed to full host compromise.

Three Linux root exploits in two weeks — the pattern

• May 1 — Copy Fail (CVE-2026-31431) · CVSS 7.8 · algif_aead / AF_ALG · 9-year-old bug · 732-byte Python PoC · No race condition · CISA KEV · Container escape · Discovered via AI (Xint Code)
• ~May 8 — Dirty Frag (CVE-2026-43284 / CVE-2026-43500) · XFRM ESP-in-TCP page-cache corruption · Patched · Discovered by Hyunwoo Kim
• May 13–14 — Fragnesia (CVE-2026-46300) · CVSS 7.8 · Activated by Dirty Frag fix · Separate patch · Public PoC · No race condition · No embargo · Container escape · Discovered by William Bowling (Zellic / V12) with AI-agentic tooling

All three: page-cache corruption via shared-memory mishandling in kernel networking/crypto. All three: deterministic. All three: no on-disk trace. All three: container escape primitives. Two of three: found with AI assistance. TuxCare noted the upstream fix for Fragnesia carries a Fixes: tag pointing to a 2013 commit — “the bug class isn’t exhausted. There are probably more invariant violations in the same code path waiting to be found.”

Check if you are exposed

# Check kernel version
uname -r

# Check if vulnerable modules are loaded (any output = exposed)
lsmod | grep -E 'esp4|esp6|rxrpc'

# Check for espintcp kernel config support
grep CONFIG_INET_ESPINTCP /boot/config-$(uname -r)

Immediate mitigation: disable the vulnerable modules

The Dirty Frag module blacklist covers Fragnesia. If you applied the Dirty Frag blacklist, you are already protected. If you applied only the Dirty Frag kernel patch without the blacklist, you are not protected from Fragnesia.

# Immediately unload vulnerable modules
sudo rmmod esp4 esp6 rxrpc 2>/dev/null; true

# Permanently blacklist to survive reboots
printf 'install esp4 /bin/falseninstall esp6 /bin/falseninstall rxrpc /bin/falsen' 
  | sudo tee /etc/modprobe.d/fragnesia.conf

# Rebuild initramfs — Debian/Ubuntu
sudo update-initramfs -u

# Rebuild initramfs — RHEL/AlmaLinux/Rocky
sudo dracut --force

Remediation steps

1. Apply your distro’s Fragnesia kernel patch immediately — separate from Dirty Frag, must be applied independently. Debian/Ubuntu: sudo apt update && sudo apt upgrade linux-image-generic && sudo reboot. RHEL/AlmaLinux/Rocky: sudo dnf update kernel && sudo reboot. Alpine: apk upgrade linux-lts && reboot.
2. Apply the module blacklist immediately using the commands above — effective even before the patch is available from your distro.
3. KernelCare users — rebootless patches were shipping from May 14 for EL8/EL9, Ubuntu, Debian, and Proxmox VE. Run kcarectl --update and verify: kcarectl --info | grep CVE-2026-46300.
4. Kubernetes and container environments — restrict unprivileged user namespace creation until patched. Treat all multi-tenant nodes with untrusted workloads as fully exposed.
5. Flush the page cache as precaution on exposed systems: sudo sh -c 'echo 3 > /proc/sys/vm/drop_caches'. Removes poisoned in-memory file copies. Does not undo post-exploitation activity — treat confirmed exploitation as full host compromise.
6. Monitor behavioral signals — Fragnesia leaves no on-disk trace. Alert on splice() + setsockopt(TCP_ULP) combinations from non-root processes. Watch for unexpected behavior from setuid binaries, new cron entries, unauthorized SSH keys, or unexpected outbound connections.
7. Do not rely solely on file integrity monitoring — only the in-memory page cache is modified. On-disk files look clean. Behavioral detection is essential.

Sources and further reading

• The Hacker News — New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption (Wiz)
• Tenable RSO — Fragnesia CVE-2026-46300 FAQ
• TuxCare — Fragnesia: New Linux Kernel LPE Bug Spawned by Dirty Frag Patch
• Help Net Security — Fragnesia: New Linux Kernel LPE Was Spawned by Dirty Frag Patch
• NSFOCUS CERT — Linux Kernel Fragnesia Privilege Escalation Notice
• SOCPrime — CVE-2026-46300 Fragnesia Technical Analysis
• LinuxTeck — Fragnesia: Detection, Mitigation, and Patching Guide

DataWater publishes a daily cybersecurity threat brief. Article #12 — May 18, 2026. Previous: CVE-2026-20182 Cisco SD-WAN CVSS 10.0 (May 16) · NGINX Rift CVE-2026-42945 (May 14) · Dead.Letter CVE-2026-45185 (May 13) · Copy Fail CVE-2026-31431 (May 7).