Security researchers published a proof-of-concept for “Fragnesia,” a Linux kernel privilege escalation vulnerability (CVE-2026-46300) in the XFRM IPsec framework’s handling of ESP-in-TCP fragmentation. The flaw follows the Dirty Frag class of fragmentation-layer memory corruption bugs and enables an unprivileged local user to escalate to root privileges. Distribution vendors are pushing kernel updates through their security channels.
Technical Detail
The XFRM framework is the Linux kernel’s IPsec transformation subsystem, handling encryption and authentication for IPsec tunnels and transport-mode packets. CVE-2026-46300 is a memory corruption issue in how XFRM handles ESP-in-TCP packet fragments when a specific sequence of fragmented packets triggers a race condition in the fragment reassembly path.
The exploit chain works as follows: an unprivileged user crafts a series of fragments that cause the XFRM reassembly code to corrupt a kernel memory region. By carefully timing the fragment delivery to exploit the race window, the attacker can overwrite a kernel function pointer and redirect execution to an unprivileged-controlled memory location, achieving arbitrary kernel code execution and from there unrestricted root access.
The PoC exploit was developed on Ubuntu 22.04 LTS (kernel 6.8) and has been confirmed on recent kernel versions up to 6.11. Exploit reliability varies by system configuration but achieves root in under 30 seconds on tested systems.
Affected Versions
The vulnerability exists in Linux kernel versions 5.12 through 6.11 (the introduction and subsequent refinement of the vulnerable code path). Kernels compiled without XFRM support (CONFIG_XFRM=n) are not affected, but this configuration is uncommon in distribution kernels.
Patched kernel versions are being distributed as security updates across:
- Ubuntu: linux-image security update in focal, jammy, noble
- RHEL/CentOS Stream: kernel update via RHSA advisory
- Debian: linux security package update
- SUSE: SLES kernel security update
Why It Matters
Fragnesia follows a pattern of high-impact Linux kernel LPE disclosures in 2026. Like the Linux CopyFail and Dirty Frag vulnerabilities that preceded it, Fragnesia demonstrates that the kernel’s complex networking subsystems — which receive high privilege-level memory operations — continue to harbour exploitable bugs despite significant hardening efforts.
For enterprise environments, the primary risk model is post-initial-access: a threat actor who obtains a low-privilege shell via web application exploit, container escape, or phishing can use Fragnesia to escalate to root and achieve full system compromise. In cloud environments running Linux virtual machines, root access can then be used to access instance metadata, credentials, and attached storage.
Recommended Actions
- Apply kernel updates immediately: Update to the patched kernel version on all Linux hosts. On Ubuntu,
apt update && apt upgrade linux-image-generic. On RHEL,yum update kernel. Reboot required. - Live patching: For systems where reboots are difficult, RHEL Live Patching and Ubuntu Livepatch can apply kernel security fixes without a reboot. Assess availability for your distribution.
- Cloud instance hardening: For Linux VMs in AWS, Azure, or GCP, verify that instance metadata service (IMDS) access is restricted to prevent credential theft post-exploit. Use IMDSv2 on AWS, managed identity on Azure.
- Container environments: Kubernetes cluster nodes are Linux systems. Apply kernel updates to all cluster nodes. Container workloads running as root or with excessive capabilities have elevated risk since Fragnesia enables escape from any user-space privilege level.
Share this article