Linux administrators have barely had time to recover from Copy Fail and Dirty Frag — and now there's a third exploit joining the same dangerous family. Security researchers at V12 Security have disclosed Fragnesia, a new Linux kernel local privilege escalation (LPE) vulnerability that gives any unprivileged local user a reliable, deterministic path to root — without needing a single host-level privilege to pull it off.
The timing couldn't be worse. As we covered here on Cyber Kendra, Copy Fail (CVE-2026-31431) — a 732-byte Python script that roots virtually every major Linux distribution since 2017 — dropped on April 29. Just one week later, Dirty Frag (CVE-2026-43284 / CVE-2026-43500), discovered by Korean researcher Hyunwoo Kim, chained two separate kernel bugs to deliver the same devastating outcome. Now, Fragnesia arrives as an unintended consequence of one of the very patches meant to fix Dirty Frag — a bitter irony that underscores just how fragile this surface area of the kernel has become.
What Makes Fragnesia Different
Fragnesia was discovered by William Bowling and the V12 team using their agentic security tooling, V12. Like its predecessors, it targets the Linux kernel's XFRM ESP-in-TCP subsystem — the component responsible for handling IPsec (encrypted network traffic) over TCP connections. The core bug is a logic flaw in how the kernel handles shared page fragments during socket buffer (skb) coalescing: the skb "forgets" that a fragment is shared, hence the name.
The attack is methodical and requires no race condition whatsoever. Here's what happens under the hood:
The exploit first calls unshare() to carve out an isolated user and network namespace — a standard unprivileged operation — which grants it CAP_NET_ADMIN (network administration capability) within that bubble, without any real privileges on the host. It then installs a crafted ESP security association using a known AES-128-GCM key.
Next, it builds a 256-entry lookup table mapping every possible keystream byte to a specific cryptographic nonce value. With that table in hand, the exploit splices file pages directly from the target binary — /usr/bin/su — into a TCP socket buffer before enabling ESP-in-TCP mode.
When the socket transitions into espintcp ULP (Upper Layer Protocol) mode, the kernel attempts to decrypt the queued data in-place. The result: the AES-GCM keystream is XORed directly into the kernel's page cache copy of the file, flipping exactly the bytes the attacker wants.
The exploit repeats this for each byte that needs changing, effectively overwriting the first 192 bytes of su with a small ELF stub that calls setresuid(0,0,0) and executes /bin/sh. Running su then drops you into a root shell. The on-disk binary is never touched — the corruption lives entirely in memory.
Who Is Affected
All Linux kernel versions affected by Dirty Frag are also affected by Fragnesia — specifically, any kernel without the patch published to the netdev mailing list on May 13, 2026. The exploit has been confirmed working on Ubuntu 22.04/24.04-era kernels (tested on 6.8.0-111-generic). Ubuntu's default AppArmor restrictions on unprivileged user namespaces can raise the bar slightly, but the README is explicit: that restriction only requires one additional bypass step and is out of scope for the vulnerability itself.
Microsoft has previously noted active in-the-wild exploitation of related techniques, observing campaigns that gain SSH access and immediately escalate privileges via su — a pattern consistent with both Dirty Frag and now Fragnesia.
What You Should Do Right Now
The mitigation is the same as for Dirty Frag. If your systems don't depend on IPsec ESP or the RxRPC protocol, disabling the vulnerable modules is the fastest interim fix:
rmmod esp4 esp6 rxrpc printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' \ > /etc/modprobe.d/fragnesia.conf
If you believe a system has already been exploited, the modified /usr/bin/su lives only in the page cache. Clear it before anyone else runs su:
echo 1 | tee /proc/sys/vm/drop_caches
Or simply reboot. Apply kernel patches from your distribution vendor as they become available — the upstream patch for this specific bug landed on May 13, 2026.
Three critical Linux LPEs in two weeks is not a coincidence — it's a signal that this region of the kernel has been underexamined for a long time. Keep an eye on your patch feeds.
Fragnesia was discovered by William Bowling and the V12 team. Technical details and a proof-of-concept are available in the V12 Security GitHub repository.