Particulars have emerged a couple of new variant of the current Soiled Frag Linux native privilege escalation (LPE) vulnerability that permits native attackers to achieve root entry, making it the third such bug to be recognized within the kernel inside a span of two weeks.
Codenamed Fragnesia, the safety vulnerability is tracked as CVE-2026-46300 (CVSS rating: 7.8) and is rooted within the Linux kernel’s XFRM ESP-in-TCP subsystem. It was found by researcher William Bowling of the V12 safety group.
“The vulnerability permits unprivileged native attackers to change read-only file contents within the kernel web page cache and obtain root privileges via a deterministic page-cache corruption primitive,” Google-owned Wiz stated.
Advisories have been launched by a number of Linux distributions –
“It is a separate bug within the ESP/XFRM from Soiled Frag which has obtained its personal patch,” V12 stated. “Nevertheless, it’s in the identical floor and the mitigation is similar as for Soiled Frag. It abuses a logic bug within the Linux XFRM ESP-in-TCP subsystem to attain arbitrary byte writes into the kernel web page cache of read-only information, with out requiring any race situation.”
Fragnesia is much like Copy Fail and Soiled Frag (aka Copy Fail 2) in that it instantly yields root on all main distributions by reaching a reminiscence write primitive within the kernel and corrupting the web page cache reminiscence of the /usr/bin/su binary. A proof-of-concept (PoC) exploit has been launched by V12.
“Prospects who’ve already utilized the Soiled Frag mitigation want no additional motion till patched kernels are launched,” CloudLinux maintainers stated. Purple Hat stated it is performing an evaluation to substantiate if present mitigations prolong to CVE-2026-46300.
Wiz additionally famous that AppArmor restrictions on unprivileged person namespaces could function a partial mitigation, requiring extra bypasses for profitable exploitation. Nevertheless, not like Soiled Frag, no host-level privileges are required.
“A patch is accessible, and whereas no in-the-wild exploitation has been noticed at the moment, we urge customers and organizations to use the patch as quickly as attainable by working replace instruments,” Microsoft stated. “If patching will not be attainable at this level, contemplate making use of the identical mitigations for Soiled Frag.”
This consists of disabling esp4, esp6, and associated xfrm/IPsec performance, proscribing pointless native shell entry, hardening containerized workloads, and growing monitoring for irregular privilege escalation exercise.
The event comes as a menace actor named “berz0k” has been noticed promoting on cybercrime boards a zero-day Linux LPE exploit for $170,000, claiming it really works on a number of main Linux distributions.
“The menace actor claims the vulnerability is TOCTOU-based (Time-of-Verify Time-of-Use), able to secure native privilege escalation with out inflicting system crashes, and leverages a shared object (.so) payload dropped into the /tmp listing,” ThreatMon stated in a publish on X.
