Fragnesia Linux Vulnerability Let Attackers Gain Root Privileges – PoC Released

HomeCyber Security Fragnesia Linux Vulnerability Let Attackers Gain Root Privileges – PoC Released By Guru Baran May 13, 2026 A newly disclosed Linux kernel vulnerability dubbed Fragnesia allows any local unprivileged user to escalate privileges to root without requiring a race condition, making it one of the more reliable local privilege escalation exploits seen in recent years. Discovered by William Bowling of the V12 security team, Fragnesia joins a growing class of dangerous kernel bugs that silently rewrite the rules of Linux security. Fragnesia belongs to the Dirty Frag vulnerability class, a cousin of the infamous Dirty Pipe and Copy Fail bugs, but targets a separate logic flaw in the Linux XFRM ESP-in-TCP subsystem. The name itself hints at the mechanism: the kernel “forgets” that a fragment is shared during socket buffer coalescing, corrupting memory it was never supposed to touch. Fragnesia Works Linux Kernel Vulnerability The exploit weaponizes a subtle logic bug in how the kernel handles ESP-in-TCP ULP (Upper Layer Protocol) mode. When a TCP socket transitions to espintcp ULP after file data has already been spliced into the receive queue, the kernel mistakenly processes those queued file pages as ESP ciphertext. This causes a single AES-GCM keystream byte to be XORed directly into a read-only file’s kernel page cache no race condition needed. By carefully selecting an IV nonce to produce any desired keystream byte, an attacker can flip any byte in a cached file to any value, one byte per trigger invocation. The exploit constructs a 256-entry lookup table mapping all possible keystream bytes to their corresponding nonces, then iterates over a malicious payload, overwriting the first 192 bytes of /usr/bin/su in the page cache with a small ELF stub that calls setresuid(0,0,0) and executes /bin/sh. Crucially, the on-disk binary remains completely untouched; only the in-memory page cache is modified. Affected Versions and Mitigation Every Linux kernel version affected by Dirtyfrag, effectively any kernel before May 13, 2026, is vulnerable. The patch has been submitted upstream, but unpatched systems remain exposed. Until patching is possible, administrators should immediately unload the affected ESP modules: textrmmod esp4 esp6 rxrpc printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf A critical post-exploitation warning: once the exploit runs, /usr/bin/su in the page cache remains modified and will re-spawn a root shell on every invocation until the cache is flushed. Administrators must run echo 1 | tee /proc/sys/vm/drop_caches or reboot before leaving any affected machine unattended. A public proof-of-concept is already available on GitHub, lowering the barrier to exploitation significantly. Organizations running Linux servers should treat this as a critical priority and apply the upstream patch immediately. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News 28 Fake Call History Apps on Google Play with 7.3M+ Downloads Trick Users to Steal Payments Critical Redis Vulnerabilities Enables Remote Code Execution Attacks Multiple Critical Vulnerabilities Patched in Next.js and React Server Components Claude’s Chrome Extension Vulnerability Allows Malicious Extensions to Steal Gmail and Drive Data New Phishing Attack Weaponizing Event Invitations to Steal Login Credentials Latest News Cyber Security News ClickFix Evolves with 10-Year-Old Open-Source Python SOCKS5 Proxy Cyber Security News Critical SandboxJS Escape Vulnerability Enables Host Takeover Cyber Security News iOS 26.5 Brings End-to-end Encrypted RCS Messaging Between iPhone and Android Cyber Security News New Exim BDAT GnuTLS Vulnerability Enables Code Execution Attacks Cyber Security News Google Enhances Android Mobile Security with New AI-Powered Protections