Vulnerability Management , Patch/Configuration Management New Linux privilege escalation flaw ‘Fragnesia’ disclosed; PoC available May 15, 2026 Share By Laura French Linux kernel maintainers patched a new local privilege escalation (LPE) flaw dubbed “Fragnesia” on Wednesday, with a proof-of-concept (PoC) exploit published by researchers. Fragnesia, tracked as CVE-2026-46300, falls within the same vulnerability class as " Dirty Frag, " said V12 Security researchers. Dirty Frag is a pair of LPE flaws affecting the Linux kernel, tracked as CVE-2026-43284 and CVE-2026-43500 , disclosed last week. The latest flaw was discovered by V12 team member William Bowling using the V12 AI agent. A logic bug exists in the Linux XFRM ESP-in-TCP subsystem that could allow a low-privileged local attacker to write arbitrary bytes to the kernel page cache of read-only files and ultimately achieve root privileges. The PoC published by V12 Security exploits the flaw to overwrite the first 192 bytes of /usr/bin/su with an ELF stub that enables them to obtain a root shell upon executing su. This is due to the Linux kernel processing cached file pages as ESP ciphertext under certain conditions, causing AES-GCM keystream bytes to be XORed directly to the cached file, the researchers explained. The vulnerability can be used to write bytes one at a time, and the attacker can select which bytes to write by matching a specific initialization vector (IV) nonce to its corresponding keystream byte. The attack only modifies the cached version of the targeted file, leaving the on-disk binary unaltered, the researchers said. All Linux kernel versions before May 13, 2026, are affected by CVE-2026-46300. For systems that cannot be patched immediately, Fragnesia can be mitigated using the same method as Dirty Frag, which temporarily removes the affected modules esp4, esp6 and rxrpc. The disclosure of Fragenesia, which comes about a week after Dirty Frag’s discovery, also comes about two weeks after the disclosure of a Linux kernel LPE flaw called " Copy Fail ," tracked as CVE-2026-31431 . All three exploits involve arbitrary writes to page-cache data in order to gain root privileges. Copy Fail was added to CISA’s Known Exploited Vulnerabilities catalog on May 1, with a remediation deadline of May 15. “We’re seeing a recurring pattern — from Dirty Frag to Copy Fail and now Fragnesia — where attackers are leveraging highly reliable arbitrary kernel write primitives to bypass traditional hardening. When a PoC can consistently overwrite /etc/passwd or hijack su logic, the exploit isn’t just a technical curiosity — it’s a turnkey solution for full system compromise,” Joe Brinkley, head of offensive security research at Cobalt, told SC Media in an email. Late last month, another LPE flaw affecting Linux systems, dubbed “Pack2TheRoot” and tracked as CVE-2026-41651 , was also disclosed. However, Pack2TheRoot involves a different mechanism — a time-of-check time-of-use (TOCTOU) race condition that allows unprivileged users to install packages as root — and affects the PackageKit service rather than the Linux kernel. Laura French Related Vulnerability Management Broadcom patches high-severity VMware Fusion flaw allowing local privilege escalation SC Staff May 14, 2026 The vulnerability is a time-of-check time-of-use (TOCTOU) flaw affecting operations performed by a SETUID binary. Patch/Configuration Management Fleet Device Management launches autonomous endpoint management platform SC Staff May 14, 2026 Fleet's new platform aims to shorten patch cycles from an industry average of 55 to 94 days to under two weeks, and in some cases, hours. Vulnerability Management Two vulnerabilities found in popular WordPress plugin Avada Builder SC Staff May 14, 2026 The vulnerabilities, disclosed by Wordfence, include an arbitrary file read flaw (CVE-2026-4782) requiring subscriber-level access and a high-severity SQL injection flaw (CVE-2026-4798) exploitable without authentication. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds