Fragnesia, a new Linux kernel flaw tracked as CVE-2026-46300, could let local attackers gain root access through page cache corruption.Researchers disclosed a new Linux kernel privilege escalation vulnerability named Fragnesia, tracked as CVE-2026-46300 (CVSS score of 7.8). The flaw affects the XFRM ESP-in-TCP subsystem and could allow local attackers to gain full root access by corrupting the kernel page cache. Security experts warn that the issue is dangerous because attackers with low privileges can modify read-only files in memory and take complete control of vulnerable systems. The vulnerability was discovered by William Bowling of the V12 security team, while Wiz published a detailed technical analysis.“The vulnerability allows unprivileged local attackers to modify read-only file contents in the kernel page cache.” reads the report published by Wiz. “Attackers can then achieve root privileges through deterministic page-cache corruption.”Fragnesia shares similarities with earlier Linux privilege escalation flaws, such as Dirty Frag and Copy Fail. According to researchers, the bug can reliably provide root access on major Linux distributions without requiring race conditions or complicated timing attacks.“This is a separate bug from Dirty Frag, but it affects the same attack surface.” contibyes the report. “The mitigation strategy is also largely the same.”Researchers explained that the vulnerability abuses a logic flaw inside the ESP/XFRM networking subsystem, allowing arbitrary writes into the page cache memory of protected files such as /usr/bin/su.“Fragnesia exploits a logic flaw in the Linux XFRM ESP-in-TCP implementation, specifically involving improper handling of shared page fragments during skb coalescing.” states the report. “The exploit abuses a scenario where file-backed pages are spliced into a TCP receive queue before the socket transitions into espintcp ULP mode. Once ESP processing is enabled, the kernel decrypts the queued data in-place, causing controlled corruption of the underlying page cache through AES-GCM keystream manipulation.”Several Linux vendors have already released advisories and security updates, including Debian, Ubuntu, Red Hat, SUSE, Amazon Linux, AlmaLinux, and Gentoo. A proof-of-concept exploit has also been released publicly, increasing concerns that attackers may quickly weaponize the flaw.“Unlike Dirty Frag, no host-level privileges are required before exploitation.” Wiz says. “AppArmor restrictions may only provide partial mitigation.”Microsoft and other security teams urged organizations to apply available patches as soon as possible. For systems that cannot immediately be updated, experts recommend disabling unnecessary XFRM/IPsec functionality, limiting local shell access, hardening container environments, and increasing monitoring for suspicious privilege escalation attempts.No evidence suggests attackers have exploited the vulnerability in real-world attacks so far. Organizations are recommended to patch affected systems immediately to reduce the risk of compromise.Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, Linux Fragnesia)