High-Risk Privilege Escalation Vulnerability: Fragnesia

A new local privilege escalation flaw named "Fragnesia" has been disclosed in the Linux kernel's ESP/XFRM attack surface. Though similar to "Dirty Frag," it is an independent issue posing severe risks to cloud hosts, container host machines, CI/CD runners, and multi-user environments.

Technical Details

The vulnerability occurs because the kernel fails to retain the "shared frag" flag during TCP packet merging, which incorrectly bypasses Copy-On-Write (COW) protections. Attackers with local execution privileges can exploit this to alter the page cache of protected read-only files directly in memory, ultimately gaining root access. Because this tampering happens in memory, it easily evades traditional disk-based integrity checks.

Mitigation

1. Upgrade System: Immediately evaluate and update to a secure kernel version that includes the May 13, 2026 patches.
2. Restrict Namespaces: Prevent unprivileged users from creating user namespaces.
3. Harden Containers: Strictly prohibit assigning high-risk permissions like CAP_NET_ADMIN, privileged mode, or host network access to containers.
4. Disable Modules: Temporarily disable the esp4 and esp6 modules if your operations do not rely on IPsec.