New Linux Kernel Vulnerability Enables Root Access

New Linux Kernel Vulnerability Enables Root Access

https://cybersecuritynews.com/fragnesia-linux-vulnerability/

Publish Date: 2026-05-13 10:13:00

Source Domain: cybersecuritynews.com

A newly disclosed Linux kernel vulnerability dubbed Fragnesia allows any local unprivileged user to escalate privileges to root without requiring a race condition, making it one of the more reliable local privilege escalation exploits seen in recent years.

Discovered by William Bowling of the V12 security team, Fragnesia joins a growing class of dangerous kernel bugs that silently rewrite the rules of Linux security.

Fragnesia belongs to the Dirty Frag vulnerability class, a cousin of the infamous Dirty Pipe and Copy Fail bugs, but targets a separate logic flaw in the Linux XFRM ESP-in-TCP subsystem.

The name itself hints at the mechanism: the kernel “forgets” that a fragment is shared during socket buffer coalescing, corrupting memory it was never supposed to touch.

Fragnesia Works Linux Kernel Vulnerability

The exploit weaponizes a subtle logic bug in how the kernel handles ESP-in-TCP ULP (Upper Layer Protocol) mode.

When a TCP socket transitions to espintcp ULP after file data has already been spliced into the receive queue, the kernel mistakenly processes those queued file pages as ESP ciphertext.

This causes a single AES-GCM keystream byte to be XORed directly into a read-only file’s kernel page cache no race condition needed.

By carefully selecting an IV nonce to produce any desired keystream byte, an attacker can flip any byte in a cached file to any value, one byte per trigger invocation.

The exploit constructs a 256-entry lookup table mapping all possible keystream bytes to their corresponding nonces, then iterates over a malicious payload, overwriting the first 192 bytes of /usr/bin/su in the page cache with a small ELF stub that calls setresuid(0,0,0) and executes /bin/sh.

Crucially, the on-disk binary remains completely untouched; only the in-memory page cache is modified.

Affected Versions and Mitigation

Every Linux kernel version affected by Dirtyfrag, effectively any kernel before May 13, 2026, is…

Source