AlmaLinux: Fragnesia (CVE-2026-46300) vulnerability fix in testing
A third Linux kernel local-root flaw has been disclosed: Fragnesia. Like Copy Fail & Dirty Frag, Fragnesia gives root on all major distributions.
AlmaLinux just anounced the following:
Less than a week after Dirty Frag, researcher William Bowling of the V12 security team has disclosed a third Linux kernel local-root flaw in the same broad code area (IPsec ESP / rxrpc) that they have named Fragnesia, tracked as CVE-2026-46300. The proof-of-concept is published in V12’s pocs repository on GitHub and the upstream patch was posted to the netdev mailing list earlier today.
Fragnesia is a separate bug from Dirty Frag, but it lives in the same surface and chains through the same modules (esp4, esp6, rxrpc). The underlying flaw is in the core socket-buffer code: skb_try_coalesce() failed to propagate the SKBFL_SHARED_FRAG marker when transferring paged fragments between buffers, so the kernel could lose track of the fact that a fragment was externally backed (e.g. by page-cache pages spliced in from a file). The XFRM ESP-in-TCP receive path would then perform in-place AES-GCM decryption directly over those page-cache pages, allowing an unprivileged process to XOR a chosen keystream into read-only files such as /usr/bin/su and gain root.
Like Copy Fail and Dirty Frag before it, Fragnesia immediately yields root on all major distributions. Every supported AlmaLinux release is affected. The flaw is tracked as CVE-2026-46300, and the proof-of-concept is already public.
Updated kernels are currently in the AlmaLinux testing DNF repositories, as mentioned in the original article.
However: The BlueOnyx Swatch Hotfix we recently published to counter Dirty Frag & Copy Fail 2 by blacklisting the esp4 and esp6 module already partially mitigates this issue, although we did not specifically blacklist the rxrpc module.