{"id":246305,"date":"2026-05-14T07:09:00","date_gmt":"2026-05-14T11:09:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/14\/another-day-another-local-privilege-escalation-vulnerability-in-linux-meet-fragnesia\/"},"modified":"2026-05-15T00:50:11","modified_gmt":"2026-05-15T04:50:11","slug":"another-day-another-local-privilege-escalation-vulnerability-in-linux-meet-fragnesia","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/14\/another-day-another-local-privilege-escalation-vulnerability-in-linux-meet-fragnesia\/","title":{"rendered":"Another Day, Another Local Privilege Escalation Vulnerability in Linux: Meet Fragnesia"},"content":{"rendered":"

Another Day, Another Local Privilege Escalation Vulnerability in Linux: Meet Fragnesia<\/a><\/p>\n

https:\/\/www.hackster.io\/news\/another-day-another-local-privilege-escalation-vulnerability-in-linux-meet-fragnesia-888a7dbbf644<\/a><\/p>\n

Publish Date: 2026-05-14 07:09:00<\/a><\/p>\n

Source Domain: www.hackster.io<\/a><\/p>\n

Security researcher William Bowling has warned of yet another universal local privilege escalation (LPE) vulnerability in the Linux kernel, dubbed Fragnesia \u2014 the fourth to be publicly disclosed in just two weeks.<\/p>\n

“[Fragnesia] abuses a logic bug in the Linux XFRM ESP-in-TCP subsystem to achieve arbitrary byte writes into the kernel page cache of read-only files,” Bowling explains of the flaw, “without requiring any race condition. The core bug is [that] the skb [Socket Buffer] ‘forgets’ that a frag[mented network packet] is shared during coalescing.”<\/p>\n

Dirty Frag strikes again, with the related but distinct Fragnesia local privilege escalation vulnerability. (\ud83d\udcf9: William Bowling)<\/p>\n

Fragnesia is the fourth easily-exploited local privilege escalation vulnerability to have been publicly disclosed in the last two weeks, after <\/span>Copy Fail, and the follow-up Copy Fail 2: Electric Boogaloo, opened the floodgates. While related, as the name implies, to <\/span>Dirty Frag, it’s a distinct bug in and of itself and requires a different patch \u2014 though the same mitigation as used for unpatched Dirty Frag-vulnerable systems applies to Fragnesia too.<\/span><\/p>\n

Like its predecessor, though, it’s only a local vulnerability: it allows anyone who already has access to an affected system to escalate their privileges up to the root, or superuser, level, gaining complete control \u2014 but it can’t be remotely exploited to gain initial access to an otherwise-protected system. That’s likely little comfort given how simple the bug is to exploit, though: a small C program is enough to drop any user into a root shell.<\/p>\n

As distribution maintainers and system vendors begin to release patches, those running unpatched kernels \u2014 any version of Linux released before May 13 2026 \u2014 are advised to apply the same mitigation as for Dirty Frag: remove the affected modules with <\/span>rmmod esp4 esp6 rxrpc and prevent them from loading again with <\/span>printf ‘install esp4 \/bin\/falseninstall esp6 \/bin\/falseninstall rxrpc…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Another Day, Another Local Privilege Escalation Vulnerability in Linux: Meet Fragnesia https:\/\/www.hackster.io\/news\/another-day-another-local-privilege-escalation-vulnerability-in-linux-meet-fragnesia-888a7dbbf644 Publish Date: 2026-05-14…<\/p>\n","protected":false},"author":1,"featured_media":246306,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/hackster.imgix.net\/uploads\/attachments\/1957157\/_6yhvFJLhcO.blob?auto=compress%2Cformat&w=600&h=450&fit=min","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[31,89,71,57,27],"class_list":["post-246305","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-exploit","tag-flaw","tag-linux","tag-security","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/246305"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=246305"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/246305\/revisions"}],"predecessor-version":[{"id":246307,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/246305\/revisions\/246307"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/246306"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=246305"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=246305"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=246305"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}