(picussecurity.com) Fragnesia (CVE-2026-46300): A Deep Dive into the Linux Kernel LPE Vulnerability in XFRM ESP-in-TCP Subsystem
-
(picussecurity.com) Fragnesia (CVE-2026-46300): A Deep Dive into the Linux Kernel LPE Vulnerability in XFRM ESP-in-TCP Subsystem
New high-severity Linux kernel LPE vulnerability (CVE-2026-46300, CVSS 7.8) dubbed Fragnesia enables unprivileged local attackers to gain root access by exploiting flawed memory coalescing in the XFRM ESP-in-TCP subsystem.
In brief - Fragnesia allows attackers to overwrite read-only executable files in memory (e.g., setuid-root binaries) via page cache manipulation, leading to reliable root shell access without modifying on-disk files. Affects nearly all Linux distributions; patch or disable vulnerable modules immediately.
Technically - The flaw stems from the kernel's failure to recognize shared fragment pages during skb coalescing in the XFRM ESP-in-TCP subsystem. Attackers exploit this by installing a transport-mode ESP-in-TCP SA with AES-128-GCM, then using splice-and-ULP to enqueue data in the TCP buffer. By controlling the IV nonce, they select keystream bytes to XOR with target file page cache entries, enabling precise modifications. The exploit writes a 192-byte ELF stub into the page cache of a setuid-root binary (e.g., /usr/bin/su), differing from Dirty Frag by targeting memory coalescing logic rather than IPsec ESP/RxRPC.
-
R relay@relay.infosec.exchange shared this topic
