Particulars have emerged a few new variant of the current Soiled Frag Linux native privilege escalation (LPE) vulnerability that enables native attackers to realize root entry, making it the third such bug to be recognized within the kernel inside a span of two weeks.
Codenamed Fragnesia, the security vulnerability is tracked as CVE-2026-46300 (CVSS rating: 7.8) and is rooted within the Linux kernel’s XFRM ESP-in-TCP subsystem. It was found by researcher William Bowling of the V12 security staff.
“The vulnerability permits unprivileged native attackers to switch read-only file contents within the kernel web page cache and obtain root privileges via a deterministic page-cache corruption primitive,” Google-owned Wiz stated.
Advisories have been launched by a number of Linux distributions –
“This can be a separate bug within the ESP/XFRM from Soiled Frag which has acquired its personal patch,” V12 stated. “Nevertheless, it’s in the identical floor and the mitigation is similar as for Soiled Frag. It abuses a logic bug within the Linux XFRM ESP-in-TCP subsystem to realize arbitrary byte writes into the kernel web page cache of read-only recordsdata, with out requiring any race situation.”
Fragnesia is just like Copy Fail and Soiled Frag (aka Copy Fail 2) in that it instantly yields root on all main distributions by attaining a reminiscence write primitive within the kernel and corrupting the web page cache reminiscence of the /usr/bin/su binary. A proof-of-concept (PoC) exploit has been launched by V12.
“Prospects who’ve already utilized the Soiled Frag mitigation want no additional motion till patched kernels are launched,” CloudLinux maintainers stated. Crimson Hat stated it is performing an evaluation to verify if current mitigations lengthen to CVE-2026-46300.
Wiz additionally famous that AppArmor restrictions on unprivileged person namespaces could function a partial mitigation, requiring further bypasses for profitable exploitation. Nevertheless, not like Soiled Frag, no host-level privileges are required.
“A patch is obtainable, and whereas no in-the-wild exploitation has been noticed at the moment, we urge customers and organizations to use the patch as quickly as attainable by operating replace instruments,” Microsoft stated. “If patching isn’t attainable at this level, take into account making use of the identical mitigations for Soiled Frag.”
This contains disabling esp4, esp6, and associated xfrm/IPsec performance, limiting pointless native shell entry, hardening containerized workloads, and growing monitoring for irregular privilege escalation exercise.
The event comes as a risk actor named “berz0k” has been noticed promoting on cybercrime boards a zero-day Linux LPE exploit for $170,000, claiming it really works on a number of main Linux distributions.
“The risk actor claims the vulnerability is TOCTOU-based (Time-of-Test Time-of-Use), able to secure native privilege escalation with out inflicting system crashes, and leverages a shared object (.so) payload dropped into the /tmp listing,” ThreatMon stated in a publish on X.
