A newly discovered Linux local privilege escalation (LPE) vulnerability named Fragnesia is raising concerns across the cybersecurity community, marking the third major kernel privilege escalation flaw disclosed within just two weeks.
Tracked as CVE-2026-46300 with a CVSS score of 7.8, the vulnerability affects the Linux kernel’s XFRM ESP-in-TCP subsystem and allows local attackers to gain root privileges by corrupting the kernel page cache.
The flaw was discovered by security researcher William Bowling from Zellic and the V12 security team.
How the Fragnesia Vulnerability Works
According to security researchers, the vulnerability enables unprivileged local users to modify read-only file contents directly within the kernel page cache. This corruption can then be leveraged to achieve full root access on vulnerable systems.
Google-owned cloud security company Wiz explained that the issue creates a deterministic page-cache corruption primitive capable of escalating privileges without requiring race conditions.
Researchers noted that Fragnesia shares similarities with previously disclosed Linux kernel vulnerabilities including:
- Dirty Frag
- Copy Fail
- Copy Fail 2
Like those flaws, Fragnesia can reportedly provide immediate root access on many major Linux distributions by targeting the /usr/bin/su binary in memory.
Proof-of-Concept Exploit Released
The V12 security team has already released a proof-of-concept (PoC) exploit demonstrating successful exploitation of the vulnerability.
In an advisory, V12 stated:
“This is a separate bug in the ESP/XFRM from Dirty Frag which has received its own patch. However, it exists within the same attack surface and uses the same mitigation approach.”
Unlike Dirty Frag, researchers emphasized that Fragnesia does not require host-level privileges before exploitation, making it particularly dangerous in multi-user environments and containerized workloads.
Affected Linux Distributions
Security advisories related to CVE-2026-46300 have already been published by multiple Linux vendors, including:
- AlmaLinux
- Amazon Linux
- CloudLinux
- Debian
- Gentoo
- Red Hat Enterprise Linux (RHEL)
- SUSE
- Ubuntu
CloudLinux maintainers confirmed that systems already protected against Dirty Frag may not require additional temporary mitigation steps until patched kernels are released.
Meanwhile, Red Hat stated it is still assessing whether existing mitigations fully protect against the new vulnerability.
Mitigation and Recommended Actions
Security experts strongly recommend applying kernel patches as soon as they become available.
Microsoft warned that although no active in-the-wild exploitation has been observed so far, organizations should immediately update vulnerable systems or implement temporary mitigations.
Recommended mitigation steps include:
- Disabling
esp4,esp6, and related XFRM/IPsec functionality - Restricting unnecessary local shell access
- Hardening containerized workloads
- Monitoring systems for suspicious privilege escalation activity
- Limiting unprivileged user namespaces where possible
Researchers from Wiz also noted that AppArmor restrictions on unprivileged user namespaces may provide partial protection against exploitation attempts.
Underground Forums Advertise New Linux Zero-Day Exploit
The disclosure comes amid reports that a threat actor known as “berz0k” is advertising a separate Linux zero-day privilege escalation exploit on cybercrime forums for approximately $170,000.
According to threat intelligence platform ThreatMon, the seller claims the exploit:
- Works across multiple major Linux distributions
- Uses a TOCTOU (Time-of-Check Time-of-Use) vulnerability
- Provides stable privilege escalation without crashing systems
- Drops a malicious
.sopayload into the/tmpdirectory
While the claims remain unverified, the listing highlights growing interest among cybercriminals in Linux privilege escalation vulnerabilities.
Final Thoughts
The rapid emergence of multiple Linux kernel privilege escalation flaws in recent weeks underscores the importance of timely patch management and proactive hardening strategies.
Organizations running Linux infrastructure should prioritize kernel updates, review local access policies, and strengthen monitoring for abnormal privilege escalation behavior to reduce exposure to evolving threats.
