How can organizations mitigate the Fragnesia vulnerability?

Organizations should apply the latest kernel patches provided by their Linux distribution vendors to address the Fragnesia vulnerability. If immediate patching is not possible, temporary mitigations include removing the esp4, esp6, and rxrpc kernel modules, though this may disrupt IPsec VPNs and AFS systems.

Is there a proof-of-concept exploit available for Fragnesia?

Yes, security researcher William Bowling has released a proof-of-concept exploit demonstrating the potential impact of the Fragnesia vulnerability.

Fragnesia (CVE-2026-46300): Critical Linux Kernel Privilege Escalation Vulnerability

Q: What is the Fragnesia vulnerability?

Fragnesia (CVE-2026-46300) is a critical flaw in the Linux kernel's XFRM ESP-in-TCP subsystem that allows unprivileged local attackers to gain root privileges by writing arbitrary bytes to the kernel page cache of read-only files.

Learn about the Fragnesia vulnerability in the Linux kernel's XFRM ESP-in-TCP subsystem, its potential impact, and how to mitigate the associated risks.

Published: May 15, 2026

Share this on:

Executive Summary

In May 2026, a critical vulnerability known as Fragnesia (CVE-2026-46300) was discovered in the Linux kernel's XFRM ESP-in-TCP subsystem. This flaw allows unprivileged local attackers to gain root privileges by writing arbitrary bytes to the kernel page cache of read-only files. Security researcher William Bowling identified this issue and released a proof-of-concept exploit demonstrating its potential impact. The vulnerability affects all Linux kernels released before May 13, 2026, and is part of the broader 'Dirty Frag' class of vulnerabilities.

The disclosure of Fragnesia underscores the ongoing challenges in securing the Linux kernel against privilege escalation attacks. With public exploits available and patches being rolled out, organizations must prioritize updating their systems to mitigate potential threats. This incident highlights the importance of proactive vulnerability management and the need for continuous monitoring of emerging security flaws.

Why This Matters Now

The Fragnesia vulnerability (CVE-2026-46300) presents an immediate risk to Linux systems, as it allows local attackers to escalate privileges to root without requiring a race condition. Given the availability of a public proof-of-concept exploit and the widespread use of affected kernels, organizations must urgently apply patches to prevent potential exploitation.

Attack Path Analysis

An attacker exploits the Fragnesia vulnerability (CVE-2026-46300) to gain root privileges on a Linux system. With elevated privileges, the attacker moves laterally across the network, establishes command and control channels, exfiltrates sensitive data, and causes significant operational disruption.

Kill Chain Progression

Initial Compromise

Lowinferred

Privilege Escalation

High

Lateral Movement

Mediuminferred

Command & Control

Mediuminferred

Exfiltration

Mediuminferred

Impact

Mediuminferred

Initial Compromise

Description

The attacker gains initial access to the system, potentially through existing user credentials or other means.

Confidence:

Low

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2026-46300
CVSS 7.8
A logic flaw in the Linux XFRM ESP-in-TCP subsystem allows unprivileged local attackers to gain root privileges by writing arbitrary bytes to the kernel page cache of read-only files.
Affected Products:
Linux Linux Kernel – < 6.5.0
Exploit Status:
proof of concept
References:
https://nvd.nist.gov/vuln/detail/CVE-2026-46300 https://github.com/v12-security/pocs/tree/main/fragnesia https://lists.openwall.net/netdev/2026/05/13/79

MITRE ATT&CK® Techniques

Privilege Escalation

T1068

Exploitation for Privilege Escalation

Privilege Escalation

T1548.001

Abuse Elevation Control Mechanism: Setuid and Setgid

Execution

T1203

Exploitation for Client Execution

Persistence

T1574.002

Hijack Execution Flow: Dynamic Linker Hijacking

Defense Evasion

T1078

Valid Accounts

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Ensure that all system components are protected from known vulnerabilities by installing applicable security patches

Control ID: 7.2.1

The Fragnasia vulnerability exposes systems to unauthorized privilege escalation, violating the requirement to protect system components from known vulnerabilities through timely patching.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident indicates a failure to implement and maintain a cybersecurity policy designed to protect information systems from unauthorized access, as required by the regulation.

DORA – ICT Risk Management Framework

Control ID: Article 5

The exploitation of the Fragnasia vulnerability suggests deficiencies in the institution's ICT risk management framework, which should address and mitigate such security risks.

CISA ZTMM 2.0 – Implement strong identity and access management controls

Control ID: Pillar 1: Identity

The vulnerability's exploitation points to weaknesses in identity and access management controls, undermining the zero trust principle of strict access verification.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incident reveals inadequate implementation of cybersecurity risk management measures, as mandated by the directive to ensure the security of network and information systems.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Information Technology/IT

Critical privilege escalation vulnerability affects all Linux kernels, enabling root access through XFRM ESP-in-TCP subsystem exploitation requiring immediate patching.

Financial Services

Linux-based trading systems and payment platforms vulnerable to root privilege escalation, threatening PCI compliance and enabling unauthorized financial system access.

Health Care / Life Sciences

Medical device infrastructure and patient data systems running Linux vulnerable to privilege escalation, compromising HIPAA compliance and patient privacy.

Government Administration

Federal agencies ordered by CISA to patch within two weeks as Fragnesia joins actively exploited Linux vulnerabilities threatening critical infrastructure.

Sources

New Fragnesia Linux flaw lets attackers gain root privilegeshttps://www.bleepingcomputer.com/news/security/new-fragnesia-linux-flaw-lets-attackers-gain-root-privileges/
Verified

Fragnesia PoC Exploithttps://github.com/v12-security/pocs/tree/main/fragnesia

Verified

Linux Kernel Patch for Fragnesia Vulnerabilityhttps://lists.openwall.net/netdev/2026/05/13/79

Verified

Frequently Asked Questions

Fragnesia (CVE-2026-46300) is a critical flaw in the Linux kernel's XFRM ESP-in-TCP subsystem that allows unprivileged local attackers to gain root privileges by writing arbitrary bytes to the kernel page cache of read-only files.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the attacker's ability to move laterally, establish command and control channels, and exfiltrate data by enforcing strict segmentation and controlled egress policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's initial access may be constrained by enforcing strict identity verification and access controls, reducing unauthorized entry points.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges may be limited by enforcing strict segmentation policies that isolate critical systems and restrict access.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's lateral movement may be constrained by monitoring and controlling east-west traffic, reducing the ability to access other systems.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's command and control channels may be limited by enforcing visibility and control across multicloud environments, reducing unauthorized communications.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's data exfiltration efforts may be constrained by enforcing egress security policies, reducing unauthorized data transfers.

Impact (Mitigations)

The attacker's ability to cause operational disruption may be limited by reducing the attack surface and enforcing strict access controls.

Impact at a Glance

Affected Business Functions

System Administration
Security Operations

Operational Disruption

Estimated downtime: 2 days

Financial Impact

Estimated loss: $50,000

Data Exposure

Potential exposure of system configuration files and sensitive security data.

Recommended Actions

• Apply kernel patches addressing CVE-2026-46300 promptly to mitigate the Fragnesia vulnerability.
• Implement Zero Trust Segmentation to restrict lateral movement and limit the attacker's ability to compromise additional systems.
• Enhance East-West Traffic Security to monitor and control internal network communications, detecting unauthorized lateral movement.
• Deploy Threat Detection & Anomaly Response mechanisms to identify and respond to unusual activities indicative of privilege escalation or data exfiltration.
• Regularly review and update security policies and controls to address emerging threats and vulnerabilities.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Fragnesia (CVE-2026-46300): Critical Linux Kernel Privilege Escalation Vulnerability

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2026-46300

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Exploitation for Privilege Escalation

Abuse Elevation Control Mechanism: Setuid and Setgid

Exploitation for Client Execution

Hijack Execution Flow: Dynamic Linker Hijacking

Valid Accounts

Potential Compliance Exposure

PCI DSS 4.0 – Ensure that all system components are protected from known vulnerabilities by installing applicable security patches

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Implement strong identity and access management controls

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Information Technology/IT

Financial Services

Health Care / Life Sciences

Government Administration

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads