Linux distributions are informing users about a new kernel vulnerability that can be exploited by a local attacker to escalate privileges to root.
Dubbed Fragnesia and officially tracked as CVE-2026-46300, the issue resides in the kernel’s XFRM ESP-in-TCP subsystem, allowing an unprivileged attacker to gain root permissions by overwriting sensitive system files.
A majority of Linux distributions are affected, and they have started releasing patches.
A proof-of-concept (PoC) exploit is available, but there is no evidence that Fragnesia has been exploited in the wild.
“Similar to Dirty Frag, Fragnesia exploits a vulnerability in the XFRM ESP-in-TCP subsystem to achieve a memory write primitive in the kernel,” Microsoft’s threat intelligence team said.
“The primitive is then used to corrupt the page cache memory of the [/]usr[/]bin[/]su binary, which in turn leads to launching a shell with root privilege. Note that exploitation is not constrained to use the [/]usr[/]bin[/]su binary; it can modify any file readable by the user, including [/]etc[/]passwd,” it added.
Microsoft has urged organizations to apply the available patches as soon as possible.
Fragnesia is in the same class of vulnerabilities as the recently disclosed Dirty Frag and Copy Fail.
Copy Fail has been exploited in the wild, and Microsoft noted shortly after Dirty Frag’s disclosure that it too may have been leveraged in malicious attacks.
The tech giant reported on May 8 that its Defender product had seen limited in-the-wild activity that could indicate exploitation of either Dirty Frag or Copy Fail.
At the time of writing, there do not appear to be any other reports confirming the exploitation of Dirty Frag.
Related: OpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 Years
Related: Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root Access
Related: Organizations Warned of Exploited Linux Vulnerabilities
