Linux users are facing a new security threat as a critical vulnerability, known as Fragnesia, has been discovered. This flaw allows attackers to gain root privileges, posing a significant risk to systems. The issue stems from a logic bug in the Linux XFRM ESP-in-TCP subsystem, enabling unprivileged local attackers to write arbitrary bytes to the kernel page cache of read-only files. Zellic's head of assurance, William Bowling, who uncovered this vulnerability, also shared a proof-of-concept (PoC) exploit that achieves a memory-write primitive in the kernel. This exploit is used to corrupt the page cache memory of the /usr/bin/su binary, granting a shell with root privileges on vulnerable systems. The vulnerability is part of the Dirty Frag class, which affects all Linux kernels released before May 13, 2026. It's worth noting that Dirty Frag works by chaining two separate kernel flaws, the xfrm-ESP Page-Cache Write vulnerability and a RxRPC Page-Cache Write security issue, to achieve privilege escalation. The discovery of Fragnesia comes at a time when Linux distros are still rolling out patches for the Copy Fail vulnerability, which is actively exploited in the wild. The U.S. cybersecurity agency, CISA, has added Copy Fail to its catalog of exploited flaws and ordered federal agencies to secure their Linux systems within two weeks. The recent spate of vulnerabilities highlights the ongoing challenges in securing Linux systems. While Linux users are advised to apply kernel updates as soon as possible, those who can't immediately patch their devices should use the same mitigation used for Dirty Frag commands to remove vulnerable kernel modules. However, it's important to note that this will break AFS distributed network file systems and IPsec VPNs. The Linux community is actively working to address these issues, but the rapid pace of new exploits and vulnerabilities underscores the need for constant vigilance and proactive security measures.
