Fragnesia Linux Flaw Allows Root Privilege Escalation, PoC Released

A newly disclosed Linux privilege escalation vulnerability called Fragnesia is sending shockwaves through the security community.

The flaw allows any unprivileged local user to gain a full root shell, and a working proof-of-concept exploit is already public on GitHub.

Fragnesia Linux Flaw

Discovered by researcher William Bowling and the V12 security team, The Fragnesia is a universal local privilege escalation (LPE) exploit targeting the Linux kernel’s XFRM ESP-in-TCP subsystem.

It belongs to the same vulnerability class as the recently disclosed Dirty Frag bug, but researchers confirmed it is a distinct, separate flaw that required its own dedicated patch.

The vulnerability abuses a logic bug where the kernel “forgets” that a memory fragment is shared during socket buffer coalescing, hence the name.

When a TCP socket transitions to espintcp ULP mode after file data has already been spliced into the receive queue, the kernel mistakenly treats those queued file pages as ESP ciphertext and decrypts them in-place.

This gives an attacker the ability to XOR arbitrary bytes directly into the kernel’s page cache of read-only files, one byte per trigger, with no race condition required.

The exploit works in a precise, methodical way:

• It calls unshare() to create a user and network namespace, gaining CAP_NET_ADMIN without real host privileges
• It installs an ESP-in-TCP security association using AES-128-GCM with a known key
• It builds a 256-entry lookup table mapping every possible keystream byte to the matching IV nonce
• It then splices data from /usr/bin/su into the TCP stream byte-by-byte, flipping each target byte to inject a small ELF stub that calls setresuid(0,0,0) and executes /bin/sh
• Finally, it runs execve("/usr/bin/su") to drop into a root shell

Crucially, the modification only exists in the page cache; the on-disk binary is never touched, making forensic detection harder.

However, the injected stub persists in memory until the cache is flushed or the system reboots, meaning any execution of su. After the exploit will re-spawn a root shell.

Affected Versions and Mitigation

All Linux kernels before May 13, 2026, are affected, specifically any version missing the patch published to the netdev mailing list on that date.

The exploit was confirmed to work on Ubuntu with the kernel 6.8.0-111-generic running on a Linode VPS.

The V12 team recommends the same mitigation as Dirty Frag: unload the affected ESP kernel modules immediately.

bashrmmod esp4 esp6 rxrpc
printf 'install esp4 /bin/falseninstall esp6 /bin/falseninstall rxrpc /bin/falsen' > /etc/modprobe.d/dirtyfrag.conf

After running the exploit in a test environment, administrators must drop the page cache before further use:

bashecho 1 | tee /proc/sys/vm/drop_caches

On Ubuntu systems, AppArmor’s unprivileged user namespace restrictions provide some default protection, but they can be bypassed through chained vulnerabilities.

System administrators should apply the official kernel patch immediately and restrict ESP module loading on any unpatched hosts.

Given the public availability of a one-command exploit, the window for safe remediation is extremely narrow.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Fragnesia Linux Flaw Allows Root Privilege Escalation, PoC Released appeared first on Cyber Security News.