{"id":245820,"date":"2026-05-14T09:00:00","date_gmt":"2026-05-14T13:00:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/14\/new-fragnesia-flaw-hands-linux-local-users-root-access\/"},"modified":"2026-05-14T09:45:08","modified_gmt":"2026-05-14T13:45:08","slug":"new-fragnesia-flaw-hands-linux-local-users-root-access","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/14\/new-fragnesia-flaw-hands-linux-local-users-root-access\/","title":{"rendered":"New Fragnesia Flaw Hands Linux Local Users Root Access"},"content":{"rendered":"<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/fragnesia-linux-kernel-lpe-root\/\">New Fragnesia Flaw Hands Linux Local Users Root Access<\/a><\/p>\n<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/fragnesia-linux-kernel-lpe-root\/\">https:\/\/www.infosecurity-magazine.com\/news\/fragnesia-linux-kernel-lpe-root\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-14 09:00:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.infosecurity-magazine.com\">www.infosecurity-magazine.com<\/a><\/p>\n<p>A new variant in the Dirty Frag family of Linux local privilege escalation flaws has surfaced, the third root-level Linux kernel bug disclosed in three weeks.<\/p>\n<p>According to new analysis from cloud security firm Wiz, the vulnerability, dubbed Fragnesia and tracked as CVE-2026-46300, was discovered by William Bowling of Zellic and the V12 team. A working proof-of-concept (PoC) exploit was published alongside the disclosure on May 13.<\/p>\n<p>The flaw affects all Linux kernels released before that date and allows unprivileged local users to gain root by writing arbitrary bytes into the kernel page cache of read-only files.<\/p>\n<h2><strong>Page Cache Corruption via ESP Decryption<\/strong><\/h2>\n<p>The flaw lives in how the kernel tracks shared page fragments when it merges socket buffers. Under the right sequence of operations, that bookkeeping fails and the kernel loses sight of which memory pages are backed by external files.<\/p>\n<p>An attacker can engineer that confusion by feeding file contents into a TCP socket and then enabling ESP-in-TCP encryption on the same socket after the fact. The kernel then proceeds to decrypt the queued bytes directly over the cached file pages, with the AES-GCM keystream producing controlled overwrites in memory.<\/p>\n<p>In the PoC released by Bowling, the technique was used to rewrite the opening bytes of \/usr\/bin\/su with a short payload that drops to a root shell. Because the change is made only to the kernel&#8217;s in-memory copy of the binary, the on-disk file remains untouched and the tampering leaves no trace for standard disk forensics.<\/p>\n<p>Read more on Linux kernel flaws: CrackArmor Flaws Expose Linux Systems to Privilege Escalation<\/p>\n<h2><strong>A Side Effect of the Dirty Frag Patch<\/strong><\/h2>\n<p>Bowling described Fragnesia as a &#8220;separate bug in the ESP\/XFRM from dirtyfrag&#8221; that lives in the same kernel attack surface. Hyunwoo Kim, the researcher behind Dirty Frag,\u00a0said the new flaw emerged as an unintended side effect of one of the patches addressing his original vulnerabilities.<\/p>\n<p>The disclosure follows&#8230;<\/p>\n<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/fragnesia-linux-kernel-lpe-root\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>New Fragnesia Flaw Hands Linux Local Users Root Access https:\/\/www.infosecurity-magazine.com\/news\/fragnesia-linux-kernel-lpe-root\/ Publish Date: 2026-05-14 09:00:00 Source&#8230;<\/p>\n","protected":false},"author":1,"featured_media":245821,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/assets.infosecurity-magazine.com\/webpage\/og\/8a96e139-dd60-4ce0-ae8d-30117025515a.jpg","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[90,31,89,71,57,27],"class_list":["post-245820","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-cve","tag-exploit","tag-flaw","tag-linux","tag-security","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/245820"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=245820"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/245820\/revisions"}],"predecessor-version":[{"id":245823,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/245820\/revisions\/245823"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/245821"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=245820"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=245820"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=245820"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}