Fragnesia – Linux Kernel Local Privilege Escalation via XFRM ESP-in-TCP (CVE-2026-46300)

Scope: Linux Kernel (All Distributions – Kernels Released Before May 13, 2026)

Severity: Red

Fragnesia is the third Linux kernel local privilege escalation in the same XFRM/ESP attack surface within two weeks following Copy Fail (CVE-2026-31431) and Dirty Frag (CVE-2026-43284) and carries a publicly available proof-of-concept that overwrites /usr/bin/su in the page cache to spawn a root shell in a single command, requiring no race conditions. The underlying flaw in skb_try_coalesce() causes the kernel to drop the SKBFL_SHARED_FRAG marker when coalescing socket buffers, allowing the XFRM ESP-in-TCP path to perform in-place AES-GCM decryption directly into page-cache-backed read-only files, granting any unprivileged local user deterministic, race-free arbitrary byte writes into protected system binaries. Organizations should apply kernel updates released on or after May 13, 2026 from their distribution's security repositories; where immediate patching is not possible, blacklist the esp4, esp6, and rxrpc modules as an interim measure noting that this breaks kernel-mode IPsec tunnels.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.