Fragnesia Flaw Hands Linux Users Root Access: Third Kernel Bug in Two Weeks, Born From Patch
Fragnesia Flaw Hands Linux Users Root Access: Third Kernel Bug in Two Weeks, Born From Patch
Publish Date: 2026-05-15 06:03:00
Source Domain: www.techtimes.com
A newly disclosed Linux kernel flaw nicknamed Fragnesia — tracked as CVE-2026-46300 — lets any unprivileged local user gain root on essentially every major Linux distribution shipped before May 13, 2026, and a working public exploit has been sitting on GitHub since the day of disclosure. Today, NSFOCUS CERT issued an emergency advisory on the bug, joining writeups from Microsoft, Wiz, Tenable, AlmaLinux, CloudLinux, and Fedora that all reach the same conclusion: anyone running a Linux server where untrusted users can run code is one short command away from a full host compromise.
The timing is awkward. Today, May 15, is also the CISA Binding Operational Directive 22-01 deadline for U.S. federal civilian agencies to remediate Copy Fail (CVE-2026-31431), the related Linux kernel root bug CISA added to its Known Exploited Vulnerabilities catalog on May 1. Many agencies finishing that patch cycle today will discover they need to repeat the process for Fragnesia — and so will anyone running a multi-tenant Kubernetes cluster, a shared CI runner, a bastion host, or a developer workstation that other people can log into.
The bug lives in the same XFRM ESP-in-TCP code that produced Dirty Frag — and the Dirty Frag fix created it
Fragnesia sits in the Linux kernel’s XFRM ESP-in-TCP subsystem, the same broad attack surface as Dirty Frag (CVE-2026-43284 and CVE-2026-43500), disclosed on May 7. According to Tenable’s Research Special Operations team, the root cause is a logic error in the core socket-buffer code: skb_try_coalesce() fails to propagate the SKBFL_SHARED_FRAG marker when transferring paged fragments between buffers. The kernel forgets a fragment was backed by external memory — for example, page-cache pages spliced in from a file on disk — and the XFRM ESP-in-TCP receive path then performs in-place AES-GCM decryption directly over those page-cache pages.
By controlling the initialization vector values fed into that decryption, an unprivileged attacker…
