Fragnesia CVE-2026-46300: Linux Kernel LPE Vulnerability Explained
Introduction to Malware Binary Triage (IMBT) Course
Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.
Enroll Now and Save 10%: Coupon Code MWNEWS10
Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.
Key Takeaways
- Fragnesia (CVE-2026-46300) is a high-severity Linux kernel LPE vulnerability (CVSS 7.8) affecting the XFRM ESP-in-TCP subsystem, and it works across nearly all Linux distributions.
- The root cause is a logic flaw where the socket buffer fails to recognize shared fragment pages during memory coalescing, causing the kernel to perform in-place AES-GCM decryption directly on file page cache entries.
- The exploit allows local unprivileged attackers to write arbitrary bytes into the page cache of read-only files without any race conditions, making it highly reliable.
- By repeatedly triggering the flaw, an attacker can write a 192-byte ELF stub into the page cache of a setuid-root binary (such as /usr/bin/su) and spawn a root shell, while leaving the original on-disk file untouched.
- Picus Threat Library includes dedicated threats for simulating Fragnesia vulnerability attacks, enabling security teams to validate their defenses against this vulnerability.
Fragnesia (CVE-2026-46300), disclosed on May 13, 2026, is a high-severity Linux Kernel bug that gives the attacker a reliable way to escalate privileges locally. Using the memory coalescing bug in the XFRM ESP-in-TCP module, an adversary is able to overwrite a read-only file in the page cache, thereby spawning a root shell.
Article Link: Fragnesia CVE-2026-46300: Linux Kernel LPE Vulnerability Explained
1 post - 1 participant
Malware Analysis, News and Indicators - Latest topics
Sp123
"An underestimated security threat to organizations is employee apathy and burn out."
