CVE-2026-46300 Fragnesia Linux Kernel Vulnerability

  • Blog
  • CVE-2026-46300 Fragnesia Linux Kernel Vulnerability

Knowledge Base

Site Reliability Experience

View Categories

CVE-2026-46300 Fragnesia Linux Kernel Vulnerability

3 min read

Table of Contents

Overview #

A new Linux kernel local privilege escalation vulnerability known as Fragnesia has been disclosed under CVE-2026-46300.

Fragnesia belongs to the same vulnerability class as the recently disclosed: Dirty Frag and Copy Fail.

The vulnerability affects the Linux kernel XFRM / ESP-in-TCP subsystem, potentially allowing a local unprivileged user to gain root privileges through controlled page-cache corruption.

Vulnerability Details #

CVE: CVE-2026-46300
Name: Fragnesia
Type: Local Privilege Escalation
Affected Component: Linux Kernel XFRM ESP-in-TCP
Attack Vector: Local
Privileges Required: Low
User Interaction: None
Impact: Root Privilege Escalation

Technical Description #

The vulnerability exists in the Linux kernel handling of ESP-in-TCP (XFRM/IPsec) during specific packet handling conditions involving: splice(), sendfile(), page-cache references and ESP/XFRM packet processing, as the kernel may incorrectly manipulate shared page-cache memory, allowing controlled modification of read-only cached files.

Researchers even demonstrated the ability to overwrite cached contents of /usr/bin/su to obtain root privileges without modifying the actual on-disk file.

Relation to Dirty Frag #

Fragnesia is considered part of the Dirty Frag vulnerability class and affects the same Linux kernel networking surface: XFRM, ESP and IPsec processing.

In fact, researchers indicated the vulnerability became reachable after one of the Dirty Frag fixes exposed a related code path.

RELIANOID Impact Assessment #

Default RELIANOID Load Balancer installations are considered Low Risk because:

  • RELIANOID does not use the vulnerable functionality by default
  • ESP/XFRM modules are not actively required for standard ADC/load balancing operations
  • typical HTTP/HTTPS/TCP/UDP farms are not affected

VPN/IPsec module impact #

RELIANOID environments using Network > VPN or IPsec-based VPN functionality may load affected Linux kernel modules dynamically. Potentially affected modules include: esp4, esp6, xfrm_user and xfrm_algo.

Therefore, the risk per RELIANOID feature is as follows:

Standard Load Balancing: Low
HTTP/HTTPS farms Low
L4 farms: Low
GSLB: Low
IPDS: Low
IPsec VPN module: Potentially affected

How to Verify Affected Modules #

Check whether vulnerable modules are loaded:

lsmod | egrep 'esp4|esp6|xfrm'

Example vulnerable output:

esp4
esp6
xfrm_user

If no modules are shown then the vulnerable functionality is not currently active.

Verify Active IPsec Usage #

You can also check active IPsec/XFRM policies:

ip xfrm state
ip xfrm policy

If empty, then IPsec is likely not being used.

Temporary Mitigation #

If IPsec VPN functionality is NOT required, the affected modules can be disabled.

Create:

/etc/modprobe.d/fragnesia.conf

with:

install esp4 /bin/false
install esp6 /bin/false
install rxrpc /bin/false

Unload modules and clean cache if already active:

modprobe -r esp4 esp6 xfrm_user xfrm_algo
sync; echo 3 > /proc/sys/vm/drop_caches

This mitigation is the same officially recommended for Dirty Frag.

Important Warning: Do NOT apply this mitigation if RELIANOID is actively using IPsec VPN tunnels, ESP transport or XFRM-based services. Otherwise VPN services may stop functioning.

RELIANOID Recommendation #

RELIANOID customers are advised to:

  • Verify whether IPsec/XFRM modules are active
  • Apply updates as they become available
  • Disable unused ESP/XFRM modules where possible
  • Review third-party software installed on the appliance

Patches to fix this vulnerability will be provided in the releases EE > 8.5

📄 Download this document in PDF format #

    EMAIL: *

    Powered by BetterDocs