{"id":247460,"date":"2026-05-13T08:13:00","date_gmt":"2026-05-13T12:13:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/13\/fragnesia-linux-kernel-local-privilege-escalation-via-esp-in-tcp\/"},"modified":"2026-05-17T11:00:19","modified_gmt":"2026-05-17T15:00:19","slug":"fragnesia-linux-kernel-local-privilege-escalation-via-esp-in-tcp","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/13\/fragnesia-linux-kernel-local-privilege-escalation-via-esp-in-tcp\/","title":{"rendered":"Fragnesia: Linux Kernel Local Privilege Escalation via ESP-in-TCP"},"content":{"rendered":"

Fragnesia: Linux Kernel Local Privilege Escalation via ESP-in-TCP<\/a><\/p>\n

https:\/\/www.wiz.io\/blog\/fragnesia-linux-kernel-local-privilege-escalation-via-esp-in-tcp<\/a><\/p>\n

Publish Date: 2026-05-13 08:13:00<\/a><\/p>\n

Source Domain: www.wiz.io<\/a><\/p>\n

Researchers have disclosed a new variant in the DirtyFrag family of Linux local privilege escalation (LPE) vulnerabilities, named \u201cFragnesia.\u201d The vulnerability impacts the Linux kernel\u2019s XFRM ESP-in-TCP subsystem. The vulnerability allows unprivileged local attackers to modify read-only file contents in the kernel page cache and achieve root privileges through a deterministic page-cache corruption primitive.\u00a0\u00a0<\/p>\n

Per the researcher who discovered Dirty Frag, \u00a0Hyunwoo Kim, Fragnesia emerged as an unintended side effect of one of the patches addressing the original Dirty Frag vulnerabilities.<\/p>\n

Technical Details<\/h2>\n

Fragnesia exploits a logic flaw in the Linux XFRM ESP-in-TCP implementation, specifically involving improper handling of shared page fragments during skb coalescing. The exploit abuses a scenario where file-backed pages are spliced into a TCP receive queue before the socket transitions into espintcp ULP mode. Once ESP processing is enabled, the kernel decrypts the queued data in-place, causing controlled corruption of the underlying page cache through AES-GCM keystream manipulation.<\/p>\n

The exploit uses user and network namespaces to obtain CAP_NET_ADMIN privileges within an isolated namespace, installs a crafted ESP security association through NETLINK_XFRM, and repeatedly triggers controlled single-byte writes into cached file pages. Researchers demonstrated overwriting the first bytes of \/usr\/bin\/su with a small ELF payload that invokes setresuid(0,0,0) and executes \/bin\/sh, resulting in a root shell. The modification exists only in page cache memory and does not alter the on-disk binary. Usage of AppArmor restrictions on unprivileged user namespaces, such as those default in Ubuntu, may serve as a partial mitigation<\/strong>, requiring additional bypasses for successful exploitation. However, unlike DirtyFrag, no host-level privileges are required.\u00a0<\/p>\n

Recommendations<\/h2>\n