A newly disclosed Linux kernel vulnerability dubbed Fragnesia allows any local unprivileged user to escalate privileges to root without requiring a race condition, making it one of the more reliable local privilege escalation exploits seen in recent years.
Discovered by William Bowling of the V12 security team, Fragnesia joins a growing class of dangerous kernel bugs that silently rewrite the rules of Linux security.
Fragnesia belongs to the Dirty Frag vulnerability class, a cousin of the infamous Dirty Pipe and Copy Fail bugs, but targets a separate logic flaw in the Linux XFRM ESP-in-TCP subsystem.
The name itself hints at the mechanism: the kernel “forgets” that a fragment is shared during socket buffer coalescing, corrupting memory it was never supposed to touch.
Fragnesia Works Linux Kernel Vulnerability
The exploit weaponizes a subtle logic bug in how the kernel handles ESP-in-TCP ULP (Upper Layer Protocol) mode.
When a TCP socket transitions to espintcp ULP after file data has already been spliced into the receive queue, the kernel mistakenly processes those queued file pages as ESP ciphertext.
This causes a single AES-GCM keystream byte to be XORed directly into a read-only file’s kernel page cache no race condition needed.
By carefully selecting an IV nonce to produce any desired keystream byte, an attacker can flip any byte in a cached file to any value, one byte per trigger invocation.
The exploit constructs a 256-entry lookup table mapping all possible keystream bytes to their corresponding nonces, then iterates over a malicious payload, overwriting the first 192 bytes of /usr/bin/su in the page cache with a small ELF stub that calls setresuid(0,0,0) and executes /bin/sh.
Crucially, the on-disk binary remains completely untouched; only the in-memory page cache is modified.
Affected Versions and Mitigation
Every Linux kernel version affected by Dirtyfrag, effectively any kernel before May 13, 2026, is vulnerable. The patch has been submitted upstream, but unpatched systems remain exposed.
Until patching is possible, administrators should immediately unload the affected ESP modules:
textrmmod esp4 esp6 rxrpc
printf 'install esp4 /bin/falseninstall esp6 /bin/falseninstall rxrpc /bin/falsen' > /etc/modprobe.d/dirtyfrag.confA critical post-exploitation warning: once the exploit runs, /usr/bin/su in the page cache remains modified and will re-spawn a root shell on every invocation until the cache is flushed. Administrators must run echo 1 | tee /proc/sys/vm/drop_caches or reboot before leaving any affected machine unattended.
A public proof-of-concept is already available on GitHub, lowering the barrier to exploitation significantly.
Organizations running Linux servers should treat this as a critical priority and apply the upstream patch immediately.
Free Live Webinar: Is Microsoft Security Copilot a Feature or a Product? The Answer Changes Your Budget -> Register Now
