Skip to content

OSG-SEC-2026-05-13 Important Linux Fragnesia Local Privilege Escalation (LPE) Vulnerability

Important Linux Fragnesia Local Privilege Escalation (LPE) Vulnerability

Dear OSG Security Contacts,

Fragnesia is a newly disclosed Linux local privilege escalation (LPE) vulnerability affecting the kernel XFRM ESP-in-TCP subsystem. The vulnerability belongs to the broader class of page-cache corruption issues that includes Dirty Pipe, Dirty Frag, and Copy Fail. Public research indicates that unprivileged local users may achieve root privileges by corrupting read-only page-cache-backed executable content in memory.

While there is no patch yet available, there are mitigating steps below. These mitigations are the same as that of DirtyFrag that you should apply immediately to protect yourself from the potential rapid spread of these exploits. This is the information we have at the time of writing.

IMPACTED VERSIONS:

The disclosed vulnerabilities reportedly affect Linux kernels across broad version ranges and have been reproduced on major Linux distributions including Ubuntu, RHEL, CentOS Stream, Fedora, AlmaLinux, and openSUSE.

WHAT ARE THE VULNERABILITIES:

Fragnesia exploits a logic flaw in the Linux XFRM ESP-in-TCP implementation, specifically involving improper handling of shared page fragments during skb coalescing. The exploit abuses a scenario where file-backed pages are spliced into a TCP receive queue before the socket transitions into espintcp ULP mode. Once ESP processing is enabled, the kernel decrypts the queued data in-place, causing controlled corruption of the underlying page cache through AES-GCM keystream manipulation.
Current public research describes the exploit as deterministic and not dependent on race conditions. A public exploit is available.

WHAT YOU SHOULD DO:

Systems patched for Dirty Frag may still be vulnerable to Fragnesia if the affected XFRM ESP-in-TCP functionality remains enabled and vendor follow-up fixes have not yet been applied.
Until vendor patches become available, consider applying temporary mitigations by unloading and blacklisting the affected kernel modules where operationally feasible. In our testing, these mitigations prevented both vulnerabilities.

Currently discussed mitigations include disabling:
- esp4
- esp6
- rxrpc

This is accomplished on vulnerable systems by adding the following lines to the file "/etc/modprobe.d/dirtyfrag.conf"
install esp4 /bin/false
install esp6 /bin/false
install rxrpc /bin/false

Note that if you have already performed this mitigation as part of the DirtyFrag vulnerability mitigation, you do not need to add these lines again. And then run the following commands as root to remove the affected modules and clear the page cache:

rmmod esp4 esp6 rxrpc 2>/dev/null
echo 1 > /proc/sys/vm/drop_caches

For shared environments, consider restricting unprivileged user access paths (SSH, HTCondor jobs, containers, CI workloads, etc.) until mitigations or vendor patches are available.
If exploitation is suspected, systems should be rebooted and audited to check for injected accounts or rootkits.

REFERENCES

[1] https://access.redhat.com/security/cve/cve-2026-46300
[2] https://access.redhat.com/security/vulnerabilities/RHSB-2026-003
[3] https://github.com/v12-security/pocs/blob/main/fragnesia%2FREADME.md
[4] https://www.wiz.io/blog/fragnesia-linux-kernel-local-privilege-escalation-via-esp-in-tcp
[5] https://github.com/V4bel/dirtyfrag
[6] https://github.com/V4bel/dirtyfrag/blob/master/assets/write-up.md
[7] https://github.com/0xdeadbeefnetwork/Copy_Fail2-Electric_Boogaloo
[8] https://access.redhat.com/security/cve/cve-2026-43284
[9] https://almalinux.org/blog/2026-05-07-dirty-frag/
[10] https://nvd.nist.gov/vuln/detail/cve-2022-0847

Please contact the OSG security team at [email protected] if you have any questions or concerns.

OSG Security Team