Local Privilege Escalation in Linux Kernel (CVE‑2026‑46300 “Fragnesia”) Threatens Shared Hosts and Cloud SaaS
What It Is — Researchers at Zellic.io disclosed a new local privilege‑escalation (LPE) flaw in the Linux kernel, CVE‑2026‑46300, dubbed Fragnesia. The bug resides in the xfrm‑ESP module and can corrupt the kernel page cache, allowing an unprivileged user to gain root privileges.
Exploitability — Proof‑of‑concept code is publicly available, but no evidence of in‑the‑wild exploitation exists yet. The vulnerability is rated High (CVSS ≈ 8.5) due to the ease of local exploitation and the breadth of affected environments.
Affected Products — All Linux distributions that include the vulnerable xfrm‑ESP kernel module (e.g., AlmaLinux, CloudLinux, and any kernel version that incorporated the Dirty Frag patch CVE‑2026‑43284).
TPRM Impact — Multi‑tenant Linux hosts, container orchestration clusters, CI/CD runners, and SaaS platforms that execute customer code share the kernel page cache. A successful exploit could let a malicious tenant escape isolation, modify system binaries, or tamper with credential files, creating a supply‑chain risk for downstream customers.
Recommended Actions –
- Deploy vendor kernel patches immediately once released.
- Until patches are available, deny‑list or unload the vulnerable modules (
esp4,esp6,rxrpc). - On shared hosts, flush the page cache after mitigation (
echo 3 > /proc/sys/vm/drop_caches). - Review and harden container isolation policies; consider kernel hardening profiles.
- Monitor for anomalous use of privileged binaries (e.g.,
/usr/bin/su,/etc/passwd).
Source: Help Net Security