A new variant in the Dirty Frag family of Linux local privilege escalation flaws has surfaced, the third root-level Linux kernel bug disclosed in three weeks.
According to new analysis from cloud security firm Wiz, the vulnerability, dubbed Fragnesia and tracked as CVE-2026-46300, was discovered by William Bowling of Zellic and the V12 team. A working proof-of-concept (PoC) exploit was published alongside the disclosure on May 13.
The flaw affects all Linux kernels released before that date and allows unprivileged local users to gain root by writing arbitrary bytes into the kernel page cache of read-only files.
Page Cache Corruption via ESP Decryption
The flaw lives in how the kernel tracks shared page fragments when it merges socket buffers. Under the right sequence of operations, that bookkeeping fails and the kernel loses sight of which memory pages are backed by external files.
An attacker can engineer that confusion by feeding file contents into a TCP socket and then enabling ESP-in-TCP encryption on the same socket after the fact. The kernel then proceeds to decrypt the queued bytes directly over the cached file pages, with the AES-GCM keystream producing controlled overwrites in memory.
In the PoC released by Bowling, the technique was used to rewrite the opening bytes of /usr/bin/su with a short payload that drops to a root shell. Because the change is made only to the kernel’s in-memory copy of the binary, the on-disk file remains untouched and the tampering leaves no trace for standard disk forensics.
Read more on Linux kernel flaws: CrackArmor Flaws Expose Linux Systems to Privilege Escalation
A Side Effect of the Dirty Frag Patch
Bowling described Fragnesia as a “separate bug in the ESP/XFRM from dirtyfrag” that lives in the same kernel attack surface. Hyunwoo Kim, the researcher behind Dirty Frag, said the new flaw emerged as an unintended side effect of one of the patches addressing his original vulnerabilities.
The disclosure follows two other Linux kernel local privilege escalation flaws disclosed in recent weeks, Copy Fail (CVE-2026-31431) on April 29 and Dirty Frag (CVE-2026-43284 and CVE-2026-43500) on May 7.
A candidate upstream fix was submitted to the netdev mailing list on May 13 and had not been merged into the mainline kernel at the time of publication. However, several Linux distributions have begun shipping their own backported patches.
Fragnesia uses the same esp4, esp6 and rxrpc kernel modules as Dirty Frag, meaning administrators who already disabled those modules as an interim defense against Dirty Frag are covered for Fragnesia as well until patched kernels are available.
Restricting unprivileged user namespaces and monitoring for suspicious namespace creation or XFRM manipulation are also recommended interim steps.
