A third critical Linux kernel vulnerability, referenced CVE-2026-46300 and nicknamed “Fragnesia”, was disclosed on 14 May 2026. Discovered by William Bowling of the V12 team, it bypasses the Dirty Frag patch and exploits the same page cache write primitive. Public proof-of-concept code is available and patches have been available since 13 May 2026.
Technical details
The flaw lies in the XFRM ESP-in-TCP subsystem of the Linux kernel, inside the skb_try_coalesce() function.
When this function reattaches paged fragments from one sk_buff to another, it strips the SKBFL_SHARED_FRAG marker, even when the resulting buffer still contains fragments backed by the page cache or externally owned. This breaks the invariant that ESP inbound processing depends on.
Exploitation vector: when a TCP socket switches to espintcp mode after file data has already been spliced into the receive queue, the kernel treats those pending file pages as ESP ciphertext and decrypts them in place. The skb_has_shared_frag() check — which decides whether a non-cloned non-linear skb can bypass skb_cow_data() (copy-on-write) — is thereby circumvented.
An unprivileged local attacker can construct a splice + ULP trigger sequence to turn controlled IV (initialisation vector) values into a deterministic single-byte write primitive against the page cache of any readable file (e.g. /usr/bin/su).
- Type: CWE-269 — improper privilege management
- Vector: local, low complexity, no user interaction
- CVSS v3.1 score: 7.8 (High)
- Full vector:
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - Discoverer: William Bowling (V12 team)
Relationship with Dirty Frag
Fragnesia is a new variant of the Dirty Frag class (CVE-2026-43284 / CVE-2026-43500). It demonstrates that the original attack vector was not fully patched — the ESP-in-TCP path suffers from the same invariant break as the ESP-in-UDP and RxRPC paths disclosed on 8 May.
Affected systems
All Linux kernels prior to 13 May 2026 are potentially vulnerable.
| Distribution | Affected versions |
|---|---|
| Ubuntu | 22.04, 24.04 |
| Debian | 11, 12 |
| Red Hat / RHEL | 8, 9 |
| Rocky Linux | 10 |
| AlmaLinux | ELS / FIPS |
| Oracle Linux | 8, 9 (including UEK 7) |
| Amazon Linux | 2, 2023 |
| CloudLinux | Recent versions |
| Fedora, Arch, openSUSE | Recent versions |
Multi-tenant and Kubernetes environments: the container escape threat is particularly critical — this vulnerability allows a compromised workload to escalate to root on the host.
Remediation steps
1. Update the kernel (priority action)
Patched kernels have been available in production repositories since 13 May 2026:
# Debian / Ubuntu
apt update && apt full-upgrade
# RHEL / Rocky / AlmaLinux / Oracle Linux
dnf clean metadata && dnf upgrade
# Reboot after updating
reboot
2. Temporary mitigation
If the patch cannot be applied immediately, disable the ESP-in-TCP module:
echo "install espintcp /bin/false" > /etc/modprobe.d/disable-fragnesia.conf
3. Active monitoring
Enable privilege escalation logging and monitor for unusual access attempts to files such as /usr/bin/su or /etc/passwd from unprivileged processes.
Heavy Mind managed IT clients
Servers under a Heavy Mind managed IT contract received immediate attention. Patches have been deployed across all affected environments — no action required on your end.
Not a managed IT client?
Heavy Mind can support you on this vulnerability — and beyond:
- Linux server audit: inventory of exposed kernels and verification of mitigations in place
- Patch deployment: controlled kernel update rollout with regression testing
- Monitoring setup: proactive detection of future critical vulnerabilities across your server fleet
Let's talk about your needs and build the right solution together.
Contact usSources: NVD CVE-2026-46300 · AlmaLinux — Fragnesia patches released · TuxCare — Fragnesia LPE analysis · Red Hat Security · SOC Prime — Fragnesia technical details