Fragnesia

CVE-2026-46300CVSS 7.8unreleased

A flaw in the Linux kernel's XFRM ESP-in-TCP subsystem allows a low-privileged local attacker to write arbitrary bytes into the page cache of read-only files, which can be exploited to overwrite privileged binaries and gain root privileges.

Details

Write-up
https://github.com/v12-security/pocs/tree/main/fragnesia
CVEs
CVE-2026-46300 CVSS 7.8
Authors
William Bowling, V12
Patch
f84eca581739
The patch has not been included in a stable kernel release yet. Some distributions might have already backported it.

Timeline

  1. Patch submitted to netdev mailing list[3]
  2. PoC and writeup published, CVE assigned[2]
  3. Patch applied to netdev branch[1]

Mitigation

Blacklist affected kernel modules

IPsec connectivity will be lost, which won't be an issue for normal desktop users.

printf 'install esp4 /bin/false
install esp6 /bin/false
install rxrpc /bin/false
' > /etc/modprobe.d/fragnesia.conf
rmmod esp4 esp6 rxrpc 2>/dev/null
echo 1 > /proc/sys/vm/drop_caches

Sources

  1. https://lists.openwall.net/netdev/2026/05/15/20
  2. http://www.openwall.com/lists/oss-security/2026/05/13/3
  3. https://lists.openwall.net/netdev/2026/05/13/79

History