Linux admins reeling from handling last month’s CopyFail and last week’s Dirty Frag kernel vulnerabilities have a new headache to deal with: Fragnesia.“This is a significant vulnerability,” Robert Beggs, head of incident response firm DigitalDefence, told CSO. “It is bypassing traditional filesystem permissions that are present and enforced (for example, ‘file is owned by root’, or ‘file is read-only’) to allow manipulation without touching the disk.”Similar to Dirty Frag, Fragnesia (CVE-2026-46300) is a local privilege escalation hole that exploits a vulnerability in the XFRM ESP-in-TCP subsystem to achieve a memory write primitive in the kernel. XFRM is an IP framework intended for packet transformations, and ESP-in-TCP (Encapsulating Security Payload in TCP) is a networking technique used to encapsulate IPsec ESP packets inside TCP segments.A proof of concept (PoC) exploit is already publicly available.The good news, Beggs said, is that the vulnerability can’t be exploited remotely. An attacker needs local access to trigger specific code paths and be able to control local socket operations and manipulate packet fragmentation.Still, he added, any unprivileged user can exploit the bug on a vulnerable system to corrupt security-sensitive files in memory, such as privileged access management configuration, password, systemd service files, or cron jobs. Although the attacker cannot modify the file on the disk, modifying in-memory files can trick privileged processes, alter system behavior, execute arbitrary code, and escalate privileges on the system, he said. Linux distributions including Red Hat, Ubuntu, AlmaLinux and others are pushing out patches or mitigations; CloudLinux said a patch is being tested.In a statement to CSO, Mike McGrath, Red Hat’s vice-president of Core Platforms, said issuing mitigations and fixes for privilege escalations like Fragnesia are a top priority. “We have published workarounds for the esp4 and esp6 kernel modules that we feel provide protection to customers in the immediate term while we work with the upstream community to identify a permanent fix in the form of a patch,” he said.According to Linux support provider TuxCare, systems running the affected skbuff code paths, including kernels that have already received the Dirty Frag fix, are impacted. The public PoC requires systems with the configuration option CONFIG_INET_ESPINTCP to access the bug, so kernels built without it block this exploit. But the underlying skbuff defect may be reachable through other paths. Microsoft urges Linux users and organizations to apply the patch as soon as possible by running update tools. If patching is not possible at this point, consider applying the same mitigations as for Dirty Frag, such as assessing whether esp4, esp6, and related xfrm/IPsec functionality can be temporarily disabled safely, restricting unnecessary local shell access, hardening containerized workloads, and increasing monitoring for abnormal privilege escalation activity.Related content: Kill switch for Linux kernel features proposed to improve securityBeggs advises system administrators to confirm kernel exposure by reviewing version numbers, and then update to a patched kernel if necessary and reboot the affected system. If ESP-in-TCP is not required, disable the module and block its use; this mitigation can also be immediately applied until patching is complete. Because the vulnerability requires local access, make sure that basic steps such as enforcing MFA for privileged accounts, disabling of unneeded shell access, and enforcing least privilege are all in place.Beggs also said admins may wish to increase monitoring of privileged processes (PAM, systemd, cron) and look for unexpected restarts, unexpected config reloads, and sudden privilege escalations.