Fragnesia Opens Linux Root Escalation Path via CVE-2026-46300 as Patch Ships
Updated
Updated · Microsoft · May 8
Fragnesia Opens Linux Root Escalation Path via CVE-2026-46300 as Patch Ships
11 articles · Updated · Microsoft · May 8
CVE-2026-46300, dubbed Fragnesia, is a newly found Dirty Frag variant that lets an unprivileged Linux user escalate to root by manipulating page-cache behavior through the esp/xfrm module.
Unlike Dirty Frag, which also used an rxrpc path, Fragnesia relies only on esp/xfrm; Microsoft said existing Dirty Frag signatures already detect the public exploit and no in-the-wild exploitation has been seen so far.
Microsoft is still tracking limited active attacks tied to Dirty Frag or CopyFail patterns, including SSH access, an ELF binary named ./update, privilege escalation via su, and follow-on access to GLPI files and PHP sessions.
A patch is available for Fragnesia, and organizations running Ubuntu, RHEL, CentOS Stream, AlmaLinux, Fedora, openSUSE or OpenShift are urged to update quickly or disable vulnerable modules and tighten local-shell and container controls.
From 'Dirty Pipe' to 'Dirty Frag,' is a fundamental flaw in Linux's design making these critical 'page-cache' exploits inevitable?
With a critical Linux root exploit still unpatched, are millions of servers now indefensible against determined attackers?
As security patches inadvertently create new vulnerabilities, are we entering an era where kernel exploits outpace our ability to fix them?
Fragnesia (CVE-2026-46300): Critical Linux Kernel LPE Threat, Exploitation Details, and Immediate Mitigation Strategies
Overview
On May 14, 2026, an urgent alert was issued for Fragnesia (CVE-2026-46300), a newly disclosed Linux kernel vulnerability. This flaw, the third major kernel bug in just two weeks, allows local attackers to gain root access by exploiting a weakness in the XFRM ESP-in-TCP subsystem. Attackers use this to gain a memory write primitive in the kernel, which lets them corrupt the page cache of critical system binaries like /usr/bin/su. The rapid appearance of such vulnerabilities highlights a serious and immediate threat to Linux environments, demanding swift attention and action from system administrators.