CVE-2026-46300: Fragnesia Flaw Enables Linux Root Privilege Escalation

A significant vulnerability has been identified in the Linux kernel’s network subsystem, specifically targeting the logic responsible for handling IP packet fragmentation. Tracked as CVE-2026-46300, the flaw is colloquially known as “Fragnesia.” This CVE represents a high-risk threat to multi-user environments and cloud infrastructure, as it allows a local user with restricted permissions to achieve Privilege Escalation to root. According to SecurityWeek, the vulnerability shares core characteristics with previous high-profile exploits such as Dirty Frag and Copy Fail, suggesting a recurring weakness in how the kernel manages memory during complex network reassembly tasks.

Technical Analysis of Linux Kernel Fragnesia Vulnerability Impact

The Fragnesia vulnerability resides in the net/ipv4 and net/ipv6 fragmentation handling code. When the Linux kernel receives fragmented packets, it must store them in a buffer until all fragments arrive to reconstruct the original datagram. The Fragnesia flaw occurs during a race condition or an integer overflow—specifics often seen in fragmentation attacks—where a malformed sequence of fragments triggers an out-of-bounds write or a Use-After-Free condition.

By carefully crafting a sequence of fragmented packets, a local attacker can manipulate kernel memory structures. This manipulation allows for the overwriting of security credentials or the hijacking of function pointers within the kernel’s process context. Because the network stack operates with the highest level of system authority, successfully exploiting this vulnerability grants the attacker full control over the operating system. The Linux kernel Fragnesia vulnerability impact is particularly severe for containerized environments where unprivileged users might attempt to break out of a container to compromise the underlying host.

Comparison to Dirty Frag and Copy Fail

Fragnesia follows in the footsteps of ‘Dirty Frag’ and ‘Copy Fail,’ two previous vulnerabilities that targeted the kernel’s memory management during packet copying and reassembly. These types of flaws are difficult to eliminate entirely because packet fragmentation is inherently complex, involving multiple edge cases for packet size, arrival order, and timeout thresholds. While Dirty Frag focused on specific memory corruption during the fragment overlap phase, Fragnesia appears to exploit the ‘memory accounting’ logic, tricking the kernel into miscalculating the actual size of the reassembled payload.

Detection and Remediation Strategies

Defenders must prioritize identifying vulnerable kernels within their fleet. Because this is a local exploit, the TTP involves an attacker already having some form of access—whether through a compromised low-level service or a legitimate user account. Monitoring for unusual system calls associated with network socket manipulation is a primary detection method.

How to Detect CVE-2026-46300 Exploit

To determine if an exploit attempt is occurring, SOC teams should leverage EDR tools to monitor for suspicious process spawns following unusual network activity on the loopback interface. Specifically, looking for instances where a non-root process triggers a kernel oops or significant memory pressure in the network stack can serve as a vital IoC. Advanced SIEM rules can be configured to flag rapid, repetitive fragmentation requests that do not result in successful connections, as these may indicate an attacker attempting to groom the kernel heap for the Fragnesia exploit.

As a primary Fragnesia privilege escalation mitigation, administrators should apply the latest security patches provided by their Linux distribution (e.g., Ubuntu, RHEL, Debian). If immediate patching is not feasible, a common mitigation for many kernel-level privilege escalations is to restrict access to unprivileged user namespaces. This can often be achieved by setting kernel.unprivileged_userns_clone = 0 via sysctl, which limits the attack surface available to local users.