Another Day, Another Local Privilege Escalation Vulnerability in Linux: Meet Fragnesia
A member of the Dirty Flag class of vulnerabilities, but using a different core bug, Fragnesia is yet another universal LPE.
Security researcher William Bowling has warned of yet another universal local privilege escalation (LPE) vulnerability in the Linux kernel, dubbed Fragnesia — the fourth to be publicly disclosed in just two weeks.
"[Fragnesia] abuses a logic bug in the Linux XFRM ESP-in-TCP subsystem to achieve arbitrary byte writes into the kernel page cache of read-only files," Bowling explains of the flaw, "without requiring any race condition. The core bug is [that] the skb [Socket Buffer] 'forgets' that a frag[mented network packet] is shared during coalescing."
Fragnesia is the fourth easily-exploited local privilege escalation vulnerability to have been publicly disclosed in the last two weeks, after Copy Fail, and the follow-up Copy Fail 2: Electric Boogaloo, opened the floodgates. While related, as the name implies, to Dirty Frag, it's a distinct bug in and of itself and requires a different patch — though the same mitigation as used for unpatched Dirty Frag-vulnerable systems applies to Fragnesia too.
Like its predecessor, though, it's only a local vulnerability: it allows anyone who already has access to an affected system to escalate their privileges up to the root, or superuser, level, gaining complete control — but it can't be remotely exploited to gain initial access to an otherwise-protected system. That's likely little comfort given how simple the bug is to exploit, though: a small C program is enough to drop any user into a root shell.
As distribution maintainers and system vendors begin to release patches, those running unpatched kernels — any version of Linux released before May 13 2026 — are advised to apply the same mitigation as for Dirty Frag: remove the affected modules with rmmod esp4 esp6 rxrpc and prevent them from loading again with printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf. Those running Canonical's Ubuntu, meanwhile, are already protected by the default settings for the AppArmor firewall.
More information is available alongside the exploit source code on GitHub.
Freelance journalist, technical author, hacker, tinkerer, erstwhile sysadmin. For hire: freelance@halfacree.co.uk.