Linux Kernel CVE-2026-46300 Fragnesia LPE Grants Root Access
A new local privilege escalation (LPE) vulnerability, codenamed 'Fragnesia' (CVE-2026-46300), allows unprivileged local attackers to achieve immediate root privileges across major Linux distributions. This is the third deterministic LPE found in two weeks, leveraging similar page cache corruption techniques as 'Copy Fail' and 'Dirty Frag', indicating a systemic flaw in how the kernel handles memory management. Deterministic exploits are highly reliable.
What Happened
The Fragnesia vulnerability, CVE-2026-46300, was publicly disclosed on May 14, 2026, with a proof-of-concept (PoC) exploit released by the V12 security team. This LPE is a variant of the previously identified 'Dirty Frag' and shares core similarities with 'Copy Fail' (CVE-2026-31431) and 'Dirty Frag' (CVE-2026-43284 and CVE-2026-43500), as The Hacker News reported.
The vulnerability affects a broad range of major Linux distributions, including AlmaLinux, Amazon Linux, CloudLinux, Debian, Gentoo, Red Hat Enterprise Linux, SUSE, and Ubuntu. The vulnerability impacts Linux kernel versions released prior to May 13, 2026, that were also susceptible to 'Dirty Frag' (BleepingComputer reports). A patch for Fragnesia is available, and organizations should apply it as soon as possible.
CloudLinux maintainers have stated that customers who applied their 'Dirty Frag' mitigation might not require further action until official patched kernels are released. Red Hat is currently assessing if their existing mitigations for similar vulnerabilities extend to CVE-2026-46300 (Security Affairs reports). Microsoft Defender is actively monitoring activity related to this vulnerability and investigating additional detections and protections, according to an advisory on MSRC.
Why It Matters
Fragnesia offers an unprivileged local attacker immediate root access on affected systems, a critical escalation that bypasses most standard security controls. Its CVSS score is 7.8, reflecting its high impact and ease of exploitation once an attacker has local access. This is a privilege escalation that grants an attacker full control to access or modify any data; it is not related to ransomware.
The vulnerability's deterministic nature is particularly concerning. Unlike older LPEs that relied on race conditions, Fragnesia guarantees exploitation, making it highly reliable for attackers (The Hacker News claims). This deterministic quality, shared with 'Copy Fail' and 'Dirty Frag', points to a fundamental flaw in kernel memory management.
Microsoft suggests that AppArmor restrictions on unprivileged user namespaces could serve as a partial mitigation, potentially requiring additional bypasses for successful exploitation. Antivirus signatures originally developed for 'Dirty Frag', such as Trojan:Linux/DirtyFrag.Z!MTB and Trojan:Linux/DirtyFrag.DA!MTB, have been observed to detect the public exploit for Fragnesia, according to Microsoft Defender. The Canadian Cyber Centre has issued an alert highlighting the severity of such LPEs when chained with remote code execution (RCE) vulnerabilities, enabling complete system compromise (BleepingComputer reports).
Technical Breakdown
Fragnesia exploits a logic bug within the Linux kernel's XFRM ESP-in-TCP subsystem. This bug enables an attacker to perform arbitrary byte writes directly into the kernel page cache of read-only files. Crucially, this exploit does not require any race condition to succeed, making it a deterministic page-cache corruption primitive.
An attacker can rewrite a single, critical instruction on a page in the kernel's memory. The next time the system executes a command using that "trusted" manual, it'll follow the modified, malicious instruction, granting the attacker full control. The system never realizes the page was tampered with because the modification didn't involve a messy, detectable race to rewrite it.
The exploit achieves immediate root access by specifically corrupting the page cache memory associated with the /usr/bin/su binary. This manipulation allows the unprivileged user to execute commands with elevated privileges.
This attack aligns directly with T1068 Exploitation for Privilege Escalation within the MITRE ATT&CK framework. Teams must prioritize SI-2 Flaw Remediation from NIST SP 800-53, ensuring kernel updates are deployed rapidly. Endpoint detection and response (EDR) solutions like CrowdStrike Falcon or SentinelOne can monitor for and alert on the anomalous behavior of processes attempting to gain root privileges, even if the initial LPE method itself isn't immediately detected by traditional signatures.
Historical Context
The deterministic LPEs like Fragnesia, Dirty Frag, and Copy Fail draw parallels with, yet significantly differ from, older Linux kernel privilege escalation vulnerabilities such as Dirty COW (CVE-2016-5195), discovered in 2016. Dirty COW also allowed local privilege escalation by exploiting a race condition in the Linux kernel's copy-on-write (COW) mechanism, enabling attackers to write to read-only memory mappings.
While both classes of vulnerabilities involve memory corruption for privilege escalation, Dirty COW relied on carefully timed race conditions, making exploitation less reliable and requiring specific conditions. Fragnesia, however, is deterministic. It uses a logic bug that allows a direct, guaranteed write to the page cache of read-only files without a race, making it a far more reliable and dangerous primitive for attackers. The current spate of deterministic LPEs highlights a shift from timing-dependent memory exploits to logic-error-driven memory corruption.
Data at a Glance
| Metric | Value | Source |
|---|---|---|
| CVE ID | CVE-2026-46300 | NVD |
| CVSS Score | 7.8 | NVD |
| Affected Kernel Versions | Prior to May 13, 2026 | BleepingComputer |
| Exploit Disclosure Date | May 14, 2026 | The Hacker News |
| Deterministic LPEs in 2 Weeks | 3 | Security Affairs |
Our Take
We're seeing a concerning pattern with these deterministic page cache LPEs. The fact that Fragnesia is the third in two weeks, leveraging a similar memory write primitive, suggests a deeper, systemic issue beyond isolated bugs. This isn't about race conditions that are hard to hit; these are reliable exploits that grant root immediately. Security teams running Linux servers need to treat kernel updates with extreme urgency, especially given the PoC is public. The window for patching is shrinking dramatically.
The CVEDaily Take
Fragnesia reinforces that Linux kernel developers must investigate what's causing these deterministic LPEs at an architectural level. The repeated exploitation of page cache memory via logic flaws, rather than race conditions, suggests a fundamental weakness in memory handling. We think the current patching cadence for many organizations is insufficient for this class of vulnerability. Organizations must improve their patch management and layered defense for Linux environments. Given the frequency of these page cache LPEs, has your team formally reviewed your Linux kernel patching cadence and page cache integrity monitoring strategies?
FAQ
Q1: What exactly is Fragnesia and what makes it deterministic?
A1: Fragnesia (CVE-2026-46300) is a local privilege escalation (LPE) vulnerability in the Linux kernel that allows an unprivileged local attacker to gain root access. It's deterministic because it exploits a logic bug in the XFRM ESP-in-TCP subsystem, allowing for arbitrary byte writes to the kernel page cache of read-only files without relying on a race condition. This means the exploit is highly reliable and doesn't depend on timing or system load.
Q2: Which Linux distributions are affected by CVE-2026-46300?
A2: Fragnesia affects a wide range of major Linux distributions. Confirmed affected distributions include AlmaLinux, Amazon Linux, CloudLinux, Debian, Gentoo, Red Hat Enterprise Linux, SUSE, and Ubuntu. Any Linux kernel version released prior to May 13, 2026, that was also vulnerable to 'Dirty Frag' is likely susceptible.
Q3: Are there any immediate mitigations if we can't patch right away?
A3: While patching is the most effective solution, Microsoft suggests that enforcing strong AppArmor restrictions on unprivileged user namespaces could serve as a partial mitigation, potentially requiring attackers to find additional bypasses. Additionally, CloudLinux has noted that customers who applied their 'Dirty Frag' mitigation might already be protected to some extent. Monitoring with EDR solutions for anomalous process activity or integrity checks on critical binaries like /usr/bin/su can also help detect post-exploitation behavior.
