A new variant in the Dirty Frag family of Linux local privilege escalation flaws has surfaced, described as Fragnesia and tracked as CVE-2026-46300, according to new analysis from cloud security firm Wiz. The vulnerability, discovered by William Bowling of Zellic and the V12 team, allows unprivileged local users to gain root by writing arbitrary bytes into the kernel page cache of read-only files, with a working PoC exploit published on May 13.
It affects all Linux kernels released before that date and involves page cache corruption via ESP decryption, where the kernel can be made to overwrite memory by decrypting queued bytes directly over cached file pages. The flaw lies in how the kernel tracks shared page fragments when it merges socket buffers, and is related to the ESP/XFRM surface previously addressed by Dirty Frag patches. A candidate upstream fix was submitted to the netdev mailing list on May 13 and several distributions have started shipping backported patches.