In the Linux kernel, a new vulnerability has been revealed, marking the fourth vulnerability discovered in the last two weeks. This vulnerability, identified as CVE-2026-46300, allows an unprivileged user to gain root privileges by overwriting data in the page cache. Known as Fragnesia or Copy Fail 3.0, this vulnerability shares similarities with previously disclosed vulnerabilities such as Copy Fail and Dirty Frag.
The vulnerability is located in the xfrm-ESP subsystem of the kernel and differs from Dirty Frag, requiring a separate fix. A working exploit for this vulnerability has been made available for analysis.
This vulnerability affects Linux kernels released after May 5, resulting from the accidental activation of the patch for Dirty Frag. In response, a fix has been proposed to address the Fragnesia vulnerability in the Linux kernel. However, further analysis revealed that the initial fix was insufficient, leading to the preparation of a second version of the patch.
The vulnerability resides in the xfrm subsystem within the implementation of the encapsulation mechanism for the ESP protocol in TCP (ESP-in-TCP), used for tunneling IPsec traffic over TCP. An error in the AES-GCM algorithm operation led to the ability to overwrite 1 byte in the page cache at a specified offset, allowing for manipulation of file contents within the page cache.
Exploiting this vulnerability involves altering the page cache for an executable file with the suid root flag. By overwriting the first 192 bytes of the /usr/bin/su file in the page cache with code to execute /usr/bin/sh, launching the “su” utility will load the modified copy from the page cache instead of the original executable file from the disk.