CVE-2026-46300: Fragnesia Linux Kernel Flaw Grants Root via Page Cache Corruption

Local privilege-escalation bugs remain especially dangerous when they turn an ordinary user foothold into immediate root access. The CVE-2026-46300 vulnerability, nicknamed Fragnesia, is a high-severity Linux kernel flaw in the XFRM ESP-in-TCP subsystem that allows an unprivileged local attacker to write arbitrary bytes into the page cache of read-only files and escalate privileges. Public reporting assigns it a CVSS score of 7.8 and links it to the same broader bug class as Dirty Frag.

The New Fragnesia Linux issue was disclosed on May 14, 2026, with The Hacker News describing it as the third kernel bug of this kind identified within two weeks, and BleepingComputer noting that Linux distributions had already started rolling out patches. Public details for CVE-2026-46300 show that the flaw was discovered by William Bowling of the V12 security team and that a working proof-of-concept had already been released.

CVE-2026-46300 analysis

At a technical level, the vulnerability in CVE-2026-46300 is a logic bug in the kernel’s ESP-in-TCP path. CloudLinux explains that when a TCP socket switches into espintcp mode after file-backed data has already been spliced into the receive queue, the kernel can treat those queued file pages as ESP ciphertext and decrypt them in place. That lets an unprivileged process transform controlled IV values into a deterministic one-byte write primitive against the page cache of any readable file, without requiring a race condition.

A public CVE-2026-46300 poc is already available, and the published CVE-2026-46300 payload targets the page-cache copy of /usr/bin/su rather than modifying the on-disk binary directly. According to CloudLinux and BleepingComputer, the exploit writes a small ELF stub into cached memory so that the next invocation of su runs attacker-controlled code as root.

From an exposure standpoint, CVE-2026-46300 affects Linux kernels released before May 13, 2026. The Hacker News says multiple distributions, including AlmaLinux, Amazon Linux, Debian, Red Hat, SUSE, and Ubuntu, have published advisories, while BleepingComputer says the bug can yield root privileges on vulnerable systems through page-cache corruption of read-only files.

Explore Detections

CVE-2026-46300 Mitigation

The primary response is to apply patched kernels from your Linux vendor as soon as they become available. At the time of disclosure, The Hacker News reported that no in-the-wild exploitation had been observed, but Microsoft still urged organizations to patch quickly and, if patching was not immediately possible, to apply the same temporary protections recommended for Dirty Frag.

For CVE-2026-46300 detection, defenders should focus on systems where a local attacker could realistically gain code execution and then pivot to root. Public CVE-2026-46300 iocs are limited, but the published exploit path centers on tampering with cached copies of sensitive binaries such as /usr/bin/su, which means version validation, local execution telemetry, and sudden privilege changes are more useful than network signatures.

To Detect CVE-2026-46300 exposure before patched kernels are deployed, the recommended temporary mitigation is to unload and blacklist the esp4, esp6, and rxrpc modules. CloudLinux and BleepingComputer both note that this breaks workloads relying on IPsec ESP or AFS/rxrpc, so it should be applied only where operationally acceptable. If a host may already have been targeted, CloudLinux also recommends dropping the page cache after mitigation so corrupted cached pages are evicted and reloaded from disk.