New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption
The Hacker News • • technology
Key Points:
- A new Linux kernel local privilege escalation (LPE) vulnerability named Fragnesia (CVE-2026-46300) has been discovered, allowing local attackers to gain root access by exploiting a logic bug in the XFRM ESP-in-TCP subsystem.
- Fragnesia is the third LPE bug found in the kernel within two weeks, similar to Dirty Frag and Copy Fail, and enables arbitrary byte writes into the kernel page cache, corrupting read-only file contents like /usr/bin/su to escalate privileges.
- Multiple major Linux distributions, including Debian, Ubuntu, Red Hat, and SUSE, have issued advisories and patches; users who applied Dirty Frag mitigations may not need immediate further action until updated kernels are released.
- Partial mitigation may be provided by AppArmor restrictions on unprivileged user namespaces, though successful exploitation requires bypassing these controls; Microsoft and others urge prompt patching and recommend disabling certain IPsec functionalities as interim defenses.
- Separately, a threat actor named "berz0k" is reportedly selling a zero-day Linux LPE exploit on cybercrime forums for $170,000, claiming it is a TOCTOU-based vulnerability affecting multiple major distributions without causing system crashes.