Another Day, Another Local Privilege Escalation Vulnerability in Linux: Meet Fragnesia
A member of the Dirty Flag class of vulnerabilities, but using a different core bug, Fragnesia is yet another universal LPE.
Security researcher William Bowling has warned of yet another universal local privilege escalation (LPE) vulnerability in the Linux kernel, dubbed Fragnesia — the fourth to be publicly disclosed in just two weeks.
"[Fragnesia] abuses a logic bug in the Linux XFRM ESP-in-TCP subsystem to achieve arbitrary byte writes into the kernel page cache of read-only files," Bowling explains of the flaw, "without requiring any race condition. The core bug is [that] the skb [Socket Buffer] 'forgets' that a frag[mented network packet] is shared during coalescing."
Fragnesia is the fourth easily-exploited local privilege escalation vulnerability to have been publicly disclosed in the last two weeks, after Copy Fail, and the follow-up Copy Fail 2: Electric Boogaloo, opened the floodgates. While related, as the name implies, to Dirty Frag, it's a distinct bug in and of itself and requires a different patch — though the same mitigation as used for unpatched Dirty Frag-vulnerable systems applies to Fragnesia too.
Like its predecessor, though, it's only a local vulnerability: it allows anyone who already has access to an affected system to escalate their privileges up to the root, or superuser, level, gaining complete control — but it can't be remotely exploited to gain initial access to an otherwise-protected system. That's likely little comfort given how simple the bug is to exploit, though: a small C program is enough to drop any user into a root shell.
As distribution maintainers and system vendors begin to release patches, those running unpatched kernels — any version of Linux released before May 13 2026 — are advised to apply the same mitigation as for Dirty Frag: remove the affected modules with rmmod esp4 esp6 rxrpc and prevent them from loading again with printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf. Those running Canonical's Ubuntu, meanwhile, are already protected by the default settings for the AppArmor firewall.
More information is available alongside the exploit source code on GitHub.