RESEARCHERS have disclosed a new Linux kernel privilege-escalation flaw, Fragnesia, tracked as CVE-2026-46300, which could let local attackers gain root by corrupting the kernel page cache. The bug affects the XFRM ESP-in-TCP subsystem and enables arbitrary writes into the page cache memory of protected files, such as /usr/bin/su.
The vulnerability was uncovered by William Bowling of the V12 security team, with Wiz publishing a detailed technical analysis; according to Wiz, the vulnerability “allows unprivileged local attackers to modify read-only file contents in the kernel page cache” and attackers can achieve root privileges through deterministic page-cache corruption.
Researchers say Fragnesia shares similarities with earlier flaws like Dirty Frag and Copy Fail, and can reliably provide root access on major Linux distributions without race conditions or timing attacks. Several vendors, including Debian, Ubuntu, Red Hat, SUSE, Amazon Linux, AlmaLinux and Gentoo, have released advisories or updates, and a proof-of-concept exploit has been made publicly available.
Microsoft and other security teams urge organisations to patch promptly, or to disable unnecessary XFRM/IPsec functionality and monitor for suspicious privilege-escalation attempts, as no real-world exploitation evidence has yet been reported.