"Fragnesia": Microsoft warns of another privilege escalation in Linux
Microsoft warns of another variant of the CopyFail vulnerability called "Fragnesia" in the Linux kernel. It grants root privileges.
(Image: Tux by Larry Ewing/GIMP / heise medien)
Microsoft is currently warning of another version of the privilege escalation vulnerability in the Linux kernel called “Fragnesia,” known as “Copy Fail”. With this, attackers can also gain root privileges on the system.
As Microsoft explains on Bluesky, this is another variant of the “Dirty Frag” vulnerability that became known last weekend. The XFRM-ESP subsystem is again affected in IPsec. “Fragnesia” exploits a vulnerability in XFRM ESP-in-TCP to gain write access to kernel memory. The attack manipulates the page cache entry of the “/usr/bin/su” file, which can then be used to start a shell with root privileges (CVE-2026-46300, CVSS according to Red Hat 7.8, risk “high” – classification by Ubuntu confirms).
The actual discoverer of the vulnerability is William Bowling, who comes from the company Zellic, which searches for vulnerabilities with the AI tool “V12”. He has created a project on GitHub that also includes an exploit for the vulnerability.
Countermeasures and Source Code Fixes
There, Bowling provides a detailed explanation of the vulnerability. On May 13, 2026, he sent a patch to the netdev kernel mailing list, which adds two lines and is intended to fix the problem. The (temporary) countermeasures against “Dirty Frag” until an updated kernel is available also help against “Fragnesia”: unloading the vulnerable kernel modules using rmmod esp4 esp6 rxrpc and blacklisting the modules using printf 'install esp4 /bin/falseinstall esp6 /bin/falseinstall rxrpc /bin/false' > /etc/modprobe.d/dirtyfrag.conf. However, those who rely on IPsec need a kernel with the patches.
Videos by heise
More Vulnerability Reports of the Same Kind
Due to the increasing use of AI-assisted vulnerability searching, the same security vulnerabilities are now being found and reported multiple times, including through the analysis of recent kernel patches. The media attention for the first security vulnerabilities of this kind, each with its own code names and occasionally its own images and logos, leads to a cluster of such reports, which can currently be observed. To report only the essential problems, we will limit future reports to vulnerabilities in Linux that have practical relevance, for example, through misuse in the wild, or that otherwise stand out interestingly.
(dmk)
