CVE-2026-46300
published 2026-05-23CVE-2026-46300: In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach…
PriorityP354high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
3.66%
88.2th percentile
In the Linux kernel, the following vulnerability has been resolved:
net: skbuff: preserve shared-frag marker during coalescing
skb_try_coalesce() can attach paged frags from @from to @to. If @from
has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same
externally-owned or page-cache-backed frags, but the shared-frag marker
is currently lost.
That breaks the invariant relied on by later in-place writers. In
particular, ESP input checks skb_has_shared_frag() before deciding
whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP
receive coalescing has moved shared frags into an unmarked skb, ESP can
see skb_has_shared_frag() as false and decrypt in place over page-cache
backed frags.
Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged
frags. The tailroom copy path does not need the marker because it copies
bytes into @to's linear data rather than transferring frag descriptors.
Affected
66 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux | — | — |
| linux | linux | >= cef401de7be8c4e155c6746bfccf721a4fa5fab9 < 3599e6b3cc1ada96883d496a50a210d3afbb6987 | 3599e6b3cc1ada96883d496a50a210d3afbb6987 |
| linux | linux | >= cef401de7be8c4e155c6746bfccf721a4fa5fab9 < 2f2b16022a2e10ca7bccfb98db5ed2ec0f72641c | 2f2b16022a2e10ca7bccfb98db5ed2ec0f72641c |
| linux | linux | >= cef401de7be8c4e155c6746bfccf721a4fa5fab9 < 9d3e5fd19fe1063bf607219e8562fbd567b8e8d5 | 9d3e5fd19fe1063bf607219e8562fbd567b8e8d5 |
| linux | linux | >= cef401de7be8c4e155c6746bfccf721a4fa5fab9 < 78bf6b6bb19541d19fbda6242e7cfe2c682763c0 | 78bf6b6bb19541d19fbda6242e7cfe2c682763c0 |
| linux | linux | >= cef401de7be8c4e155c6746bfccf721a4fa5fab9 < 760e1addc27ba1a7beb4a0a7e8b3e9ec49e7a34e | 760e1addc27ba1a7beb4a0a7e8b3e9ec49e7a34e |
| linux | linux | >= cef401de7be8c4e155c6746bfccf721a4fa5fab9 < 3bd9e113d50034db99d7ef69fd8e5242d15e414a | 3bd9e113d50034db99d7ef69fd8e5242d15e414a |
| linux | linux | >= cef401de7be8c4e155c6746bfccf721a4fa5fab9 < 3884358a9286b17f389a72b1426fc4547c23c111 | 3884358a9286b17f389a72b1426fc4547c23c111 |
| linux | linux | >= cef401de7be8c4e155c6746bfccf721a4fa5fab9 < f84eca5817390257cef78013d0112481c503b4a3 | f84eca5817390257cef78013d0112481c503b4a3 |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | 3.9 – 5.10.257 | — |
| linux | linux_kernel | >= 5.11 < 5.15.208 | 5.15.208 |
| linux | linux_kernel | >= 5.16 < 6.1.174 | 6.1.174 |
| linux | linux_kernel | >= 6.13 < 6.18.33 | 6.18.33 |
| linux | linux_kernel | >= 6.19 < 7.0.10 | 7.0.10 |
| linux | linux_kernel | >= 6.2 < 6.6.141 | 6.6.141 |
| linux | linux_kernel | >= 6.7 < 6.12.91 | 6.12.91 |
| ubuntu | linux | — | — |
| ubuntu | linux-aws | — | — |
| ubuntu | linux-aws-5.15 | — | — |
| ubuntu | linux-aws-6.17 | — | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_ubuntu8.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Linux kernel (Azure) vulnerabilities
vendor_ubuntu·2026-06-22·CVSS 8.8
CVE-2026-43284 [HIGH] Linux kernel (Azure) vulnerabilities
Title: Linux kernel (Azure) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Linux kernel did not properly handle shared page
fragments during socket buffer operations, collectively known as Dirty
Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the
RxRPC networking subsystem when processing paged fragments. A local
attacker could use this to escalate privileges, or possibly escape a
container. (CVE-2026-43284, CVE-2026-43500, CVE-2026-45998, CVE-2026-46000)
It was discovered that a logic flaw existed in the XFRM ESP-in-TCP
subsystem in the Linux kernel when handling socket buffer fragments. This
flaw is known as Fragnesia. A local attacker could use this to escalate
privileges, or possibly escape a container.
Ubuntu
Linux kernel (Oracle) vulnerabilities
vendor_ubuntu·2026-06-22·CVSS 7.8
CVE-2026-43284 [HIGH] Linux kernel (Oracle) vulnerabilities
Title: Linux kernel (Oracle) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Linux kernel algif_aead module did not properly
handle in-place cryptographic operations. This flaw is known as Copy Fail.
A local attacker could use this to escalate privileges, or possibly escape
a container. (CVE-2026-31431)
It was discovered that the Linux kernel did not properly handle shared page
fragments during socket buffer operations, collectively known as Dirty
Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the
RxRPC networking subsystem when processing paged fragments. A local
attacker could use this to escalate privileges, or possibly escape a
container. (CVE-2026-43284, CVE-2026-43500)
It was discovered that a logic f
Ubuntu
Linux kernel (Azure) vulnerabilities
vendor_ubuntu·2026-06-16·CVSS 7.8
CVE-2026-43503 [HIGH] Linux kernel (Azure) vulnerabilities
Title: Linux kernel (Azure) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Linux kernel algif_aead module did not properly
handle in-place cryptographic operations. This flaw is known as Copy Fail.
A local attacker could use this to escalate privileges, or possibly escape
a container. (CVE-2026-31431)
It was discovered that the Linux kernel did not properly handle shared page
fragments during socket buffer operations, collectively known as Dirty
Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the
RxRPC networking subsystem when processing paged fragments. A local
attacker could use this to escalate privileges, or possibly escape a
container. (CVE-2026-43284, CVE-2026-43500)
It was discovered that a logic fl
Ubuntu
Linux kernel (Azure) vulnerabilities
vendor_ubuntu·2026-06-16·CVSS 6.4
CVE-2026-23262 [MEDIUM] Linux kernel (Azure) vulnerabilities
Title: Linux kernel (Azure) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Josh Eads, Kristoffer Janke, Eduardo Vela Nava, Tavis Ormandy, and Matteo
Rizzo discovered that some AMD Zen processors did not properly verify the
signature of CPU microcode. This flaw is known as EntrySign. A privileged
attacker could possibly use this issue to cause load malicious CPU
microcode causing loss of integrity and confidentiality. (CVE-2024-36347)
It was discovered that the Linux kernel algif_aead module did not properly
handle in-place cryptographic operations. This flaw is known as Copy Fail.
A local attacker could use this to escalate privileges, or possibly escape
a container. (CVE-2026-31431)
It was discovered that the Linux kernel did not properly handle share
Ubuntu
Linux kernel (Azure) vulnerabilities
vendor_ubuntu·2026-06-11·CVSS 7.8
CVE-2026-46333 [HIGH] Linux kernel (Azure) vulnerabilities
Title: Linux kernel (Azure) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Linux kernel algif_aead module did not properly
handle in-place cryptographic operations. This flaw is known as Copy Fail.
A local attacker could use this to escalate privileges, or possibly escape
a container. (CVE-2026-31431)
It was discovered that the Linux kernel did not properly handle shared page
fragments during socket buffer operations, collectively known as Dirty
Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the
RxRPC networking subsystem when processing paged fragments. A local
attacker could use this to escalate privileges, or possibly escape a
container. (CVE-2026-43284, CVE-2026-43500)
It was discovered that a logic fl
Ubuntu
Linux kernel (Azure FIPS) vulnerabilities
vendor_ubuntu·2026-06-04·CVSS 7.8
CVE-2026-23069 [HIGH] Linux kernel (Azure FIPS) vulnerabilities
Title: Linux kernel (Azure FIPS) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Linux kernel algif_aead module did not properly
handle in-place cryptographic operations. This flaw is known as Copy Fail.
A local attacker could use this to escalate privileges, or possibly escape
a container. (CVE-2026-31431)
It was discovered that the Linux kernel did not properly handle shared page
fragments during socket buffer operations, collectively known as Dirty
Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the
RxRPC networking subsystem when processing paged fragments. A local
attacker could use this to escalate privileges, or possibly escape a
container. (CVE-2026-43284, CVE-2026-43500, CVE-2026-45998, CVE-2026-4600
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2026-06-04·CVSS 8.8
CVE-2026-43284 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Linux kernel did not properly handle shared page
fragments during socket buffer operations, collectively known as Dirty
Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the
RxRPC networking subsystem when processing paged fragments. A local
attacker could use this to escalate privileges, or possibly escape a
container. (CVE-2026-43284, CVE-2026-43500)
It was discovered that a logic flaw existed in the XFRM ESP-in-TCP
subsystem in the Linux kernel when handling socket buffer fragments. This
flaw is known as Fragnesia. A local attacker could use this to escalate
privileges, or possibly escape a container. (CVE-2026-43503,
CVE-2026-46300)
Qualys
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2026-06-02·CVSS 8.8
CVE-2026-47333 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Linux kernel did not properly handle shared page
fragments during socket buffer operations, collectively known as Dirty
Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the
RxRPC networking subsystem when processing paged fragments. A local
attacker could use this to escalate privileges, or possibly escape a
container. (CVE-2026-43284, CVE-2026-43500, CVE-2026-45998, CVE-2026-46000)
It was discovered that a logic flaw existed in the XFRM ESP-in-TCP
subsystem in the Linux kernel when handling socket buffer fragments. This
flaw is known as Fragnesia. A local attacker could use this to escalate
privileges, or possibly escape a container. (CVE-202
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2026-06-02·CVSS 8.8
CVE-2026-47333 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Linux kernel did not properly handle shared page
fragments during socket buffer operations, collectively known as Dirty
Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the
RxRPC networking subsystem when processing paged fragments. A local
attacker could use this to escalate privileges, or possibly escape a
container. (CVE-2026-43284, CVE-2026-43500, CVE-2026-45998, CVE-2026-46000)
It was discovered that a logic flaw existed in the XFRM ESP-in-TCP
subsystem in the Linux kernel when handling socket buffer fragments. This
flaw is known as Fragnesia. A local attacker could use this to escalate
privileges, or possibly escape a container. (CVE-202
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2026-06-02·CVSS 7.8
CVE-2025-71134 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Linux kernel algif_aead module did not properly
handle in-place cryptographic operations. This flaw is known as Copy Fail.
A local attacker could use this to escalate privileges, or possibly escape
a container. (CVE-2026-31431)
It was discovered that the Linux kernel did not properly handle shared page
fragments during socket buffer operations, collectively known as Dirty
Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the
RxRPC networking subsystem when processing paged fragments. A local
attacker could use this to escalate privileges, or possibly escape a
container. (CVE-2026-43284, CVE-2026-43500, CVE-2026-45998, CVE-2026-46000)
It was di
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2026-06-02·CVSS 8.8
CVE-2026-46300 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the Linux kernel did not properly handle shared page
fragments during socket buffer operations, collectively known as Dirty
Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the
RxRPC networking subsystem when processing paged fragments. A local
attacker could use this to escalate privileges, or possibly escape a
container. (CVE-2026-43284, CVE-2026-43500, CVE-2026-45998, CVE-2026-46000)
It was discovered that a logic flaw existed in the XFRM ESP-in-TCP
subsystem in the Linux kernel when handling socket buffer fragments. This
flaw is known as Fragnesia. A local attacker could use this to escalate
privileges, or possibly escape a container. (CVE-202
Red Hat
kernel: "Fragnesia" is a variant of Dirty Frag vulnerability in the ESP/XFRM leading to Local Privilege Escalation (LPE) vulnerability in the Linux kernel
vendor_redhat·2026-05-13·CVSS 7.8
CVE-2026-46300 [HIGH] CWE-123 kernel: "Fragnesia" is a variant of Dirty Frag vulnerability in the ESP/XFRM leading to Local Privilege Escalation (LPE) vulnerability in the Linux kernel
kernel: "Fragnesia" is a variant of Dirty Frag vulnerability in the ESP/XFRM leading to Local Privilege Escalation (LPE) vulnerability in the Linux kernel
A flaw was found in the Linux kernel's XFRM ESP-in-TCP subsystem. This vulnerability, known as Fragnesia, allows a local attacker to achieve arbitrary byte writes into the kernel page cache of read-only files.
Statement: This is an Important local privilege escalation flaw in the Linux kernel's XFRM ESP-in-TCP subsystem. An unprivileged local attacker can exploit a page-cache corruption vulnerability to gain root privileges by overwriting sensitive system files.
Mitigation: See the security bulletin for a detailed mitigation procedure
Package: kernel (Red Hat Enterprise Linux 10) - Affected
Package: kernel (Red Hat Enterprise Linux
Kernel
xfrm: iptfs: preserve shared-frag marker in iptfs_consume_frags()
kernel_security·2026-05-26·CVSS 7.8
CVE-2026-46300 [HIGH] xfrm: iptfs: preserve shared-frag marker in iptfs_consume_frags()
xfrm: iptfs: preserve shared-frag marker in iptfs_consume_frags()
iptfs_consume_frags() transfers paged fragments from one socket buffer
to another but fails to propagate the SKBFL_SHARED_FRAG flag. This is
the same class of bug that was fixed in skb_try_coalesce() for
CVE-2026-46300: when fragments backed by read-only page-cache pages are
merged, the marker indicating their shared nature must be preserved so
that ESP can decide correctly whether in-place encryption is safe.
Apply the same two-line fix used in skb_try_coalesce() to
iptfs_consume_frags().
Fixes: b96ba312e21c ("xfrm: iptfs: share page fragments of inner packets")
Cc: [email protected] # 6.14+
Signed-off-by: Takao Sato
Signed-off-by: Steffen Klassert
GHSA
GHSA-47jg-vqrv-5f8v: In the Linux kernel, the following vulnerability has been resolved:
net: skbuff: preserve shared-frag marker during coalescing
skb_try_coalesce() ca
ghsa_unreviewed·2026-05-26
CVE-2026-46300 [HIGH] CWE-787 GHSA-47jg-vqrv-5f8v: In the Linux kernel, the following vulnerability has been resolved:
net: skbuff: preserve shared-frag marker during coalescing
skb_try_coalesce() ca
In the Linux kernel, the following vulnerability has been resolved:
net: skbuff: preserve shared-frag marker during coalescing
skb_try_coalesce() can attach paged frags from @from to @to. If @from
has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same
externally-owned or page-cache-backed frags, but the shared-frag marker
is currently lost.
That breaks the invariant relied on by later in-place writers. In
particular, ESP input checks skb_has_shared_frag() before deciding
whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP
receive coalescing has moved shared frags into an unmarked skb, ESP can
see skb_has_shared_frag() as false and decrypt in place over page-cache
backed frags.
Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged
frags. The ta
CVEList
net: skbuff: preserve shared-frag marker during coalescing
cvelistv5·2026-05-23
CVE-2026-46300 net: skbuff: preserve shared-frag marker during coalescing
net: skbuff: preserve shared-frag marker during coalescing
In the Linux kernel, the following vulnerability has been resolved:
net: skbuff: preserve shared-frag marker during coalescing
skb_try_coalesce() can attach paged frags from @from to @to. If @from
has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same
externally-owned or page-cache-backed frags, but the shared-frag marker
is currently lost.
That breaks the invariant relied on by later in-place writers. In
particular, ESP input checks skb_has_shared_frag() before deciding
whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP
receive coalescing has moved shared frags into an unmarked skb, ESP can
see skb_has_shared_frag() as false and decrypt in place over page-cache
backed frags.
Propagate SKBFL_SHARE
No detection rules found.
Hackernews
New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets
blogs_hackernews·2026-06-26·CVSS 8.8
CVE-2026-43503 [HIGH] New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets
DirtyClone is a new Linux kernel privilege escalation in the DirtyFrag family. JFrog Security Research published a working exploit walkthrough for the flaw on June 25, the first public demonstration for this variant.
Tracked as CVE-2026-43503 (CVSS 8.8), it lets a local user corrupt file-backed memory through a cloned network packet and gain root. The patch landed in mainline on May 21; if your kernel does not have it, update now.
When the kernel copies a network packet internally, two helper functions drop a safety flag that marks the packet's m
Hackernews
DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability
blogs_hackernews·2026-05-19·CVSS 7.5
CVE-2026-31635 [HIGH] DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability
Proof-of-concept (PoC) exploit code has now been released for a recently patched security flaw in the Linux kernel that could allow for local privilege escalation (LPE).
Dubbed DirtyDecrypt (aka DirtyCBC), the vulnerability was discovered and reported by the Zellic and V12 security team on May 9, 2026, only to be informed by the maintainers that it was a duplicate of a vulnerability that had already been patched in the mainline.
"It's a rxgk pagecache write due to missing COW [copy-on-write] guard in rxgk_decrypt_skb," Zellic co-founder Luna Tong (a
Tenable
Key findings from the Verizon DBIR 2026: Slower vulnerability remediation meets faster exploitation
blogs_tenable·2026-05-19
CVE-2026-46300 Key findings from the Verizon DBIR 2026: Slower vulnerability remediation meets faster exploitation
## Exposure Management
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Key findings from the Verizon DBIR 2026: Slower vulnerability remediation meets faster exploitation
The 2026 Verizon Data Breach Investigations Report (DBIR) reveals a troubling trend: vulnerability exploitation has surged to become the number one initial access vector while remediation rates ha
Hackernews
⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
blogs_hackernews·2026-05-18·CVSS 6.1
CVE-2026-42897 [MEDIUM] ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
Monday opens with a trust problem. A mail server flaw is under active use. A network control system was targeted. Trusted packages were poisoned. A fake model page pushed a stealer. Then came the familiar ransom claim: the data was returned and deleted.
The pattern is clear. One weak dependency can leak keys. One leaked key can open cloud access. One cloud foothold can become a production incident. AI is speeding up vulnerability discovery, attackers are moving quickly, and old exposure still keeps paying off.
Patch the quiet risks first. Let’s g
Tenable
Frequently asked questions about the continued exploitation of Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20182)
blogs_tenable·2026-05-14·CVSS 10.0
CVE-2026-20182 [CRITICAL] Frequently asked questions about the continued exploitation of Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20182)
## Exposure Management
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Frequently asked questions about the continued exploitation of Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20182)
Multiple critical authentication bypass vulnerabilities in Cisco Catalyst SD-WAN Controller and Manager are under active exploitation by multiple threat clusters, including CVE-2
Hackernews
New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption
blogs_hackernews·2026-05-14
CVE-2026-46300 New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption
Details have emerged about a new variant of the recent Dirty Frag Linux local privilege escalation (LPE) vulnerability that allows local attackers to gain root access, making it the third such bug to be identified in the kernel within a span of two weeks.
Codenamed Fragnesia , the security vulnerability is tracked as CVE-2026-46300 (CVSS score: 7.8) and is rooted in the Linux kernel's XFRM ESP-in-TCP subsystem. It was discovered by researcher William Bowling of the V12 security team.
"The vulnerability allows unprivileged local attackers to modify r
Huntress
Panic at the Distro
blogs_huntress·2026-05-14·CVSS 7.8
CVE-2026-31431 [HIGH] Panic at the Distro
Acknowledgments: Special thanks to Jamie Levy, Tom Lawrence, Jim Deville, Tyler Bohlmann, and Shivangi Pandey for their contributions to this write-up.
## TL;DR
It’s never a good day for administrators when a branded vulnerability drops, especially when multiple of them land in rapid fire. Over the last two weeks, security researchers independently discovered multiple vulnerabilities in the Linux kernel that allow an unprivileged user to easily gain root access (local privilege escalation). All of these named vulnerabilities pertain to the Linux kernel’s zero-copy functionality, and are named CopyFail (CVE-2026-31431), Dirty Frag (CVE-2026-43284 and CVE-2026-43500), and Fragnesia (CVE-2026-46300).
While these vulnerabilities require an attacker to have established access on a victim mac
Bleepingcomputer
New Fragnesia Linux flaw lets attackers gain root privileges
blogs_bleepingcomputer·2026-05-14·CVSS 8.8
CVE-2026-46300 [HIGH] New Fragnesia Linux flaw lets attackers gain root privileges
## New Fragnesia Linux flaw lets attackers gain root privileges
## Sergiu Gatlan
Linux distros are rolling out patches for a new high-severity kernel privilege escalation vulnerability that allows attackers to run malicious code as root.
Known as Fragnasia and tracked as CVE-2026-46300 , this security flaw stems from a logic bug in the Linux XFRM ESP-in-TCP subsystem that can enable unprivileged local attackers to gain root privileges by writing arbitrary bytes to the kernel page cache of read-only files.
Zellic's head of assurance, William Bowling , who discovered this new universal local privilege escalation flaw, also shared a proof-of-concept (PoC) exploit that achieves a memory-write primitive in the kernel that is used to corrupt the page cache memory of the /usr/bin/su binary to
Tenable
Fragnesia (CVE-2026-46300): Frequently asked questions about new Linux Kernel XFRM ESP-in-TCP privilege escalation
blogs_tenable·2026-05-14
CVE-2026-46300 Fragnesia (CVE-2026-46300): Frequently asked questions about new Linux Kernel XFRM ESP-in-TCP privilege escalation
## Exposure Management
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Fragnesia (CVE-2026-46300): Frequently asked questions about new Linux Kernel XFRM ESP-in-TCP privilege escalation
A new Linux kernel local privilege escalation exploit with a public proof-of-concept targets the same subsystem as Dirty Frag but requires a separate patch.
## Key Takeaways
CVE
Bugzilla
CVE-2026-46323 kernel: Linux kernel: Use-After-Free in net/gro due to improper handling of zerocopy skbs
bugzilla·2026-05-19·CVSS 7.8
CVE-2026-46323 [HIGH] CVE-2026-46323 kernel: Linux kernel: Use-After-Free in net/gro due to improper handling of zerocopy skbs
CVE-2026-46323 kernel: Linux kernel: Use-After-Free in net/gro due to improper handling of zerocopy skbs
In the Linux kernel, the following vulnerability has been resolved:
net: gro: don't merge zcopy skbs
skb_gro_receive() can currently copy frags between the source and GRO
skb, without checking the zerocopy status, and in particular the
SKBFL_MANAGED_FRAG_REFS flag.
When SKBFL_MANAGED_FRAG_REFS is set, the skb doesn't hold a reference
on the pages in shinfo->frags. Appending those frags to another skb's
frags without fixing up the page refcount can lead to UAF.
When either the last skb in the GRO chain (the one we would append
frags to) or the source skb is zerocopy, don't merge the skbs.
This flaw is a variant of Fragnesia (CVE-2026-46300) which targets the same fundamental mechan
Bugzilla
CVE-2026-46300 kernel: "Fragnesia" is a variant of Dirty Frag vulnerability in the ESP/XFRM leading to Local Privilege Escalation (LPE) vulnerability in the Linux kernel
bugzilla·2026-05-13
CVE-2026-46300 [HIGH] CVE-2026-46300 kernel: "Fragnesia" is a variant of Dirty Frag vulnerability in the ESP/XFRM leading to Local Privilege Escalation (LPE) vulnerability in the Linux kernel
CVE-2026-46300 kernel: "Fragnesia" is a variant of Dirty Frag vulnerability in the ESP/XFRM leading to Local Privilege Escalation (LPE) vulnerability in the Linux kernel
Fragnesia is a universal Linux local privilege escalation exploit, discovered by William Bowling with the V12 team. Fragnesia is a member of the Dirty Frag vulnerability class. This is a separate bug in the ESP/XFRM from dirtyfrag which has received its own patch. However, it is in the same surface and the mitigation is the same as for dirtyfrag.
It abuses a logic bug in the Linux XFRM ESP-in-TCP subsystem to achieve arbitrary byte writes into the kernel page cache of read-only files, without requiring any race condition.
The technique extends the page-cache write bug class that includes Dirty Pipe: when a TCP socket tr
https://git.kernel.org/stable/c/2f2b16022a2e10ca7bccfb98db5ed2ec0f72641chttps://git.kernel.org/stable/c/3599e6b3cc1ada96883d496a50a210d3afbb6987https://git.kernel.org/stable/c/3884358a9286b17f389a72b1426fc4547c23c111https://git.kernel.org/stable/c/3bd9e113d50034db99d7ef69fd8e5242d15e414ahttps://git.kernel.org/stable/c/760e1addc27ba1a7beb4a0a7e8b3e9ec49e7a34ehttps://git.kernel.org/stable/c/78bf6b6bb19541d19fbda6242e7cfe2c682763c0https://git.kernel.org/stable/c/9d3e5fd19fe1063bf607219e8562fbd567b8e8d5https://git.kernel.org/stable/c/f84eca5817390257cef78013d0112481c503b4a3http://www.openwall.com/lists/oss-security/2026/05/13/5http://www.openwall.com/lists/oss-security/2026/05/21/11http://www.openwall.com/lists/oss-security/2026/05/21/12http://www.openwall.com/lists/oss-security/2026/05/21/13https://access.redhat.com/errata/RHBA-2026:20032https://access.redhat.com/errata/RHSA-2026:19521https://access.redhat.com/errata/RHSA-2026:19540https://access.redhat.com/errata/RHSA-2026:19568https://access.redhat.com/errata/RHSA-2026:19569https://access.redhat.com/errata/RHSA-2026:19664https://access.redhat.com/errata/RHSA-2026:19666https://access.redhat.com/errata/RHSA-2026:19705https://access.redhat.com/errata/RHSA-2026:19711https://access.redhat.com/errata/RHSA-2026:19875https://access.redhat.com/errata/RHSA-2026:20051https://access.redhat.com/errata/RHSA-2026:20054https://access.redhat.com/errata/RHSA-2026:20087https://access.redhat.com/errata/RHSA-2026:20129https://access.redhat.com/errata/RHSA-2026:20130https://access.redhat.com/errata/RHSA-2026:20299https://access.redhat.com/errata/RHSA-2026:20593https://access.redhat.com/errata/RHSA-2026:21656https://access.redhat.com/errata/RHSA-2026:21690https://access.redhat.com/errata/RHSA-2026:21695https://access.redhat.com/errata/RHSA-2026:21702https://access.redhat.com/errata/RHSA-2026:23233https://access.redhat.com/errata/RHSA-2026:23240https://access.redhat.com/errata/RHSA-2026:23245https://access.redhat.com/errata/RHSA-2026:23468https://access.redhat.com/errata/RHSA-2026:23469https://access.redhat.com/errata/RHSA-2026:23470https://access.redhat.com/errata/RHSA-2026:23471https://access.redhat.com/errata/RHSA-2026:24814https://access.redhat.com/errata/RHSA-2026:25044https://access.redhat.com/security/cve/CVE-2026-46300https://bugzilla.redhat.com/show_bug.cgi?id=2477015https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46300.json
2026-05-23
Published