How to protect your Linux server from Fragnesia (CVE-2026-46300)

    What is Fragnesia?

    Fragnesia (CVE-2026-46300) is a local privilege escalation vulnerability in the Linux kernel with a CVSS score of 7.8. It was disclosed on May 13, 2026 and emerged as a result of an incomplete fix for Dirty Frag.

    The flaw lives in the kernel's skb_try_coalesce() function: when transferring paged fragments between buffers, it fails to propagate the SKBFL_SHARED_FRAG marker. The kernel loses track of fragments backed by external storage (file-cache pages), letting an attacker chain the operation through the IPsec ESP-in-TCP receive path to XOR a chosen keystream onto read-only files such as /usr/bin/su and gain root.

    A public proof-of-concept exists, developed by William Bowling (Zellic) and the V12 security team. No widespread in-the-wild exploitation has been reported, but the risk is high due to ease of exploitation.

    Are you affected?

    Yes, if you run any of these systems unpatched:

    • AlmaLinux 8, 9, and 10 (including the Kitten 10 branch)
    • CloudLinux 8, 9, and 10
    • Rocky Linux, RHEL, Ubuntu, Debian, and other distributions using modern Linux kernels with the esp4/esp6 modules available

    On AlmaLinux 9 and 10 the rxrpc module (via kernel-modules-partner) is also implicated.

    How to check your server

    uname -r

    Compare the output to the patched versions below.

    How to mitigate

    Option Best for Reboot? Durable?
    Install vendor patched kernel Everyone, long-term fix Yes Yes
    KernelCare livepatch Servers running KernelCare No Yes
    Blacklist esp4/esp6/rxrpc modules While waiting for the patch No Temporary

    Option A: vendor patched kernel

    Minimum patched versions:

    • AlmaLinux / CloudLinux / Rocky 8: kernel-4.18.0-553.124.3.el8_10
    • AlmaLinux / CloudLinux / Rocky 9: kernel-5.14.0-611.54.5.el9_7
    • AlmaLinux / CloudLinux / Rocky 10: kernel-6.12.0-124.56.3.el10_1
    • Kitten 10: kernel-6.12.0-227.el10

    If the patched kernel is not yet in your stable channel, install it from the testing channel (AlmaLinux example):

    dnf -y install almalinux-release-testing
dnf -y --enablerepo=almalinux-testing upgrade 'kernel*'
reboot

    Option B: KernelCare livepatch

    kcarectl --update
kcarectl --patch-info | grep CVE-2026-46300

    No reboot required.

    Option C: module blacklist (temporary workaround)

    Disable the vulnerable modules. This breaks IPsec ESP and RxRPC, so use it only on servers that do not depend on those services:

    sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/fragnesia.conf"
rmmod esp4 esp6 rxrpc 2>/dev/null; true

    After applying the blacklist, drop the page cache:

    echo 3 > /proc/sys/vm/drop_caches

    Once you install the patched kernel, remove the blacklist:

    rm /etc/modprobe.d/fragnesia.conf

    After mitigating

    1. Confirm the running kernel with uname -r.
    2. Verify the installed package with rpm -q kernel.
    3. If you use KernelCare, confirm the livepatch with kcarectl --patch-info | grep CVE-2026-46300.
    4. If you applied both the Dirty Frag and Fragnesia blacklist workarounds, remember to remove both /etc/modprobe.d/dirtyfrag.conf and /etc/modprobe.d/fragnesia.conf.

    Need help?

    Open a ticket at soporte.telecu.cloud and reference: Fragnesia (CVE-2026-46300).

    Sources

    Tags
    cve-2026-46300 fragnesia linux-kernel security privilege-escalation
    Published