Overview
Recently, NSFOCUS Technology CERT detected that the Linux kernel Fragnesia privilege escalation vulnerability (CVE-2026-46300) was disclosed online. Fragnesia is a new variant of Dirty Frag; Due to the logical defects in the processing of shared page fragments by the ESP-in-TCP subsystem during the skb merge process, a local attacker with ordinary permissions can inject arbitrary bytes into the page cache of key binary files such as /usr/bin/su by constructing a specific splice+ULP trigger sequence, thereby obtaining system root permissions. In a multi-tenant server, jump server or container cloud environment, ordinary users and processes in containers can use this to achieve local privilege escalation or container escape. The CVSS score is 7.8. At present, the vulnerability details and PoC have been made public. Relevant users are requested to take measures to protect themselves as soon as possible.
Note: This vulnerability is highly stable and concealed. Attackers can accurately tamper with the execution instructions of high-privilege programs such as su in memory by running short scripts; because this exploitation process is triggered by deterministic logic, does not rely on race conditions, and only tampers with memory data without destroying the original disk files, it is difficult for traditional security tools based on disk scanning to discover in real time.
The Linux kernel is the core component of the operating system, responsible for key functions such as process management, memory management, device drivers, file systems and network protocol stacks. It is widely deployed in servers, desktop systems and embedded devices. The esp4 and esp6 modules are the core components of the IPsec protocol stack, responsible for processing ESP (Encapsulating Security Payload) protocol packets for IPv4 and IPv6 respectively. They are key mechanisms for encrypting, authenticating and encapsulating traffic for IPsec. The rxrpc module is a core component that implements the RxRPC (Remote Procedure Call over unreliable datagram networks) protocol and is designed to provide reliable remote procedure call (RPC) communication over unreliable UDP networks.
NSFOCUS has successfully reproduced this vulnerability:
Reference link: https://access.redhat.com/security/cve/CVE-2026-46300
Scope of Impact
- Cef401de7be8 <= commit < 2026.5.13 patch kernel version
Note: This vulnerability is introduced from the SKBFL_SHARED_FRAG mechanism and affects most Linux distributions such as Ubuntu, Debian, RHEL, openSUSE, CentOS, AlmaLinux, Fedora, Arch Linux, etc.
Unaffected version
Note: It can be upgraded to the kernel version of each release application upstream patch [PATCH net] net: skbuff: preserve shared-frag marker during coalescing
Detection
Manual check
Linux system users can determine whether the current system is within the affected range by checking the kernel version. The command to check the operating system version information is as follows:
| cat /proc/version |
The status of the esp4/esp6/rxrpc module can be checked using the following command:
| lsmod | grep -E ‘^(esp4|esp6|rxrpc)’ |
Note: If the system kernel is within the affected range and relevant modules are loaded, there will be a safety risk.
Mitigation
Official upgrade
At present, the official security patch has been released to fix this vulnerability. Affected users are requested to update as soon as possible for protection.
Download link: https://lists.openwall.net/netdev/2026/05/13/79
Other protective measures
If the relevant users are temporarily unable to upgrade and update, the following measures can be used for temporary protection:
1. Relevant users can block the attack surface by disabling esp4/esp6/rxrpc modules:
| rmmod esp4 esp6 rxrpcprintf ‘install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n’ > /etc/modprobe.d/fragnesia.conf |
2. In a container or cloud environment, it is recommended to prohibit the process from creating AF_ALG type sockets through Seccomp configuration and intercept non-privileged user namespace creation to prevent escape risks.
3. Monitor abnormal tampering of key files such as /etc/passwd, /etc/sudoers, /etc/shadow and /usr/bin/su, and restrict high-risk calls such as splice, add_key and unshare by ordinary users.
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, a pioneering leader in cybersecurity, is dedicated to safeguarding telecommunications, Internet service providers, hosting providers, and enterprises from sophisticated cyberattacks.
Founded in 2000, NSFOCUS operates globally with over 3000 employees at two headquarters in Beijing, China, and Santa Clara, CA, USA, and over 50 offices worldwide. It has a proven track record of protecting over 25% of the Fortune Global 500 companies, including four of the five largest banks and six of the world’s top ten telecommunications companies.
Leveraging technical prowess and innovation, NSFOCUS delivers a comprehensive suite of security solutions, including the Intelligent Security Operations Platform (ISOP) for modern SOC, DDoS Protection, Continuous Threat Exposure Management (CTEM) Service and Web Application and API Protection (WAAP). All the solutions and services are augmented by the Security Large Language Model (SecLLM), ML, patented algorithms and other cutting-edge research achievements developed by NSFOCUS.
