Yes, we’re starting to get used to it, since three critical kernel vulnerabilities were discovered in just two weeks. After the Copy Fail and Dirty Frag exploits, a new local Linux privilege escalation exploit named Fragnesia (CVE-2026-46300) has been published by V12 Security, exposing another page-cache corruption path in the Linux kernel’s networking stack.
William Bowling and the V12 team discovered the exploit, which is distinct from Dirty Frag but falls within the same vulnerability class and affects a similar kernel area. The proof of concept shows that Fragnesia exploits a logic flaw in Linux’s XFRM ESP-in-TCP subsystem to perform arbitrary byte writes into the kernel page cache of read-only files.
The vulnerability arises from how the kernel manages shared socket buffer fragments during TCP receive coalescing. According to a patch posted to the netdev mailing list, skb_try_coalesce() can transfer page-backed fragments between socket buffers and lose the SKBFL_SHARED_FRAG marker.
As a result, ESP input code may incorrectly treat these fragments as safe for in-place decryption, even when they are backed by the page cache.
This behavior enables Fragnesia to corrupt cached file pages without altering the file on disk. The proof of concept targets /usr/bin/su, overwriting part of the binary in memory with a stub that spawns a root shell.
Because the change is limited to the page cache, the on-disk binary remains unchanged, but subsequent executions of su may use the modified cached version until the cache is cleared or the system is rebooted.
According to V12 Security, the exploit does not require a race condition. Instead, it relies on first splicing data from a file into a TCP receive queue, then switching the socket into espintcp ULP mode. The kernel processes the queued file-backed pages as ESP ciphertext, allowing controlled byte changes within the cached file page.
The Fragnesia repository identifies affected systems as those vulnerable to Dirty Frag and any Linux kernels lacking the May 13, 2026, netdev patch. The authors confirmed the exploit on Ubuntu’s 6.8.0-111-generic kernel.
Until patched kernels are released, the recommended mitigation is to disable the affected ESP and RXRPC modules if they are not required. According to the Fragnesia advisory, this includes esp4, esp6, and rxrpc.
Switch to OpenBSD! Tested, tried, true!