**Linux** distributions are releasing patches to address a newly discovered high-severity kernel privilege escalation vulnerability. This flaw allows attackers to execute malicious code with root privileges. ### Fragnasia: A Deep Dive Known as **Fragnasia** and tracked as **CVE-2026-46300**, this security flaw stems from a logic bug within the Linux XFRM ESP-in-TCP subsystem. This vulnerability enables unprivileged local attackers to gain root privileges by writing arbitrary bytes to the kernel page cache of read-only files. The head of assurance at **Zellic**, discovered this new universal local privilege escalation flaw and shared a proof-of-concept (PoC) exploit. The PoC demonstrates how to achieve a memory-write primitive in the kernel, which is then used to corrupt the page cache memory of the `/usr/bin/su` binary, ultimately granting a shell with root privileges on vulnerable systems. This flaw is classified within the **Dirty Frag** vulnerability class, disclosed recently. Like Fragnasia, Dirty Frag has a publicly available PoC exploit that local attackers can leverage to gain root privileges on major Linux distributions. Dirty Frag exploits **CVE-2026-43284** and **CVE-2026-43500**. ### Technical Details "Fragnesia is a member of the Dirty Frag vulnerability class. This is a separate bug in the ESP/XFRM from dirtyfrag which has received [its own patch](https://lists.openwall.net/netdev/2026/05/13/79). However, it is in the same surface and the mitigation is the same as for dirtyfrag," Bowling explained. "It abuses a logic bug in the Linux XFRM ESP-in-TCP subsystem to achieve arbitrary byte writes into the kernel page cache of read-only files, without requiring any race condition." html <blockquote data-media-max-width="560"><p lang="en" dir="ltr">another day, another universal linux LPE <a rel="nofollow noopener" href="https://t.co/GANYkAJwZS">https://t.co/GANYkAJwZS</a><a rel="nofollow noopener" href="https://t.co/XfzTsmg7kl">pic.twitter.com/XfzTsmg7kl</a></p> — V12 (@v12sec) </blockquote> ### Mitigation Strategies To protect systems against potential attacks, Linux users are strongly advised to apply kernel updates as soon as possible. For systems where immediate patching is not feasible, the following mitigation, also used for Dirty Frag, can be applied to remove vulnerable kernel modules. However, note that this will disrupt AFS distributed network file systems and IPsec VPNs: rmmod esp4 esp6 rxrpc printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf ### A Wave of Linux Vulnerabilities The disclosure of Fragnasia arrives amidst ongoing patching efforts for "[Copy Fail](https://www.bleepingcomputer.com/tag/copy-fail/)", another privilege escalation vulnerability. The **CISA** has reported that Copy Fail is now actively exploited in the wild. CISA [added](https://www.cisa.gov/news-events/alerts/2026/05/01/cisa-adds-one-known-exploited-vulnerability-catalog) Copy Fail to its [catalog of flaws exploited in attacks](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search=CVE-2026-32202&field_date_added_wrapper=all&field_cve=&sort_by=field_date_added&items_per_page=20&url=) on May 1 and mandated federal agencies to secure their Linux systems within two weeks, by May 15. Copy Fail is tracked as **CVE-2026-32202**. "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," the U.S. cybersecurity agency warned. "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable." In April, Linux distributions patched another root-privilege escalation vulnerability (dubbed Pack2TheRoot) in the **PackageKit** daemon that had remained undetected for a decade.  ## [The Validation Gap: Automated Pentesting Answers One Question. You Need Six.](https://hubs.li/Q048zztN0) Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold. This guide covers the 6 surfaces you actually need to validate. [Download Now](https://hubs.li/Q048zztN0)