Bug 2477015 (CVE-2026-46300)

Summary: CVE-2026-46300 kernel: "Fragnesia" is a variant of Dirty Frag vulnerability in the ESP/XFRM leading to Local Privilege Escalation (LPE) vulnerability in the Linux kernel
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: akoudelk, alcohan, alinfoot, asoldano, astupnik, bbaranow, bbrownin, bdettelb, bmaxwell, bstansbe, cchiang, dlofthou, doconnor, dtrifiro, dymurray, eric.eisenhart, fdeutsch, fmariani, gmalinko, gparvin, istudens, ivassile, iweiss, janstey, jbalunas, jkoehler, jmatthew, jmitchel, jwon, kbempah, kevinxue, kgrant, kshier, lbragsta, lchilton, lphiri, manissin, mcarlett, mosmerov, msvehla, nwallace, oarribas, oramraz, pahickey, pberan, pbohmill, pdelbell, pesilva, pjindal, pjs1, pmackay, rbryant, rhaigner, rhel-process-autobot, rjohnson, rkeshri, rstancel, rstepani, sfeifer, shalygin.k, smaestri, smullick, solenoci, stirabos, tcunning, teagle, thason, thjenkin, vdosoudi, victor.cardoso, villapla, watson-tool-maintainers, weaton, wenshen, whayutin, xiyuan, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Linux kernel's XFRM ESP-in-TCP subsystem. Unsafe in-place cryptographic processing allows a low-privileged local attacker to write arbitrary bytes into the page cache of read-only files, including sensitive system files. An attacker can exploit this to overwrite privileged binaries and gain root privileges.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-05-13 13:40:58 UTC
Fragnesia is a universal Linux local privilege escalation exploit, discovered by William Bowling with the V12 team. Fragnesia is a member of the Dirty Frag vulnerability class. This is a separate bug in the ESP/XFRM from dirtyfrag which has received its own patch. However, it is in the same surface and the mitigation is the same as for dirtyfrag.

It abuses a logic bug in the Linux XFRM ESP-in-TCP subsystem to achieve arbitrary byte writes into the kernel page cache of read-only files, without requiring any race condition.

The technique extends the page-cache write bug class that includes Dirty Pipe: when a TCP socket transitions to espintcp ULP mode after data has already been spliced from a file into the receive queue, the kernel processes the queued file pages as ESP ciphertext. The AES-GCM keystream byte at counter block position 2, byte 0 is XORed directly into the cached file page. By selecting the IV nonce to produce a desired keystream byte, any target byte in the file can be set to any value — one byte per trigger invocation.

The exploit builds a 256-entry lookup table mapping each possible keystream byte to its corresponding nonce, then iterates over a payload, firing the splice/ULP race for each byte that needs changing. It writes a small position-independent ELF stub (setresuid/setresgid/execve /bin/sh) over the first 192 bytes of /usr/bin/su in the page cache, then calls execve("/usr/bin/su") to obtain a root shell. The page cache modification is not backed to disk; the on-disk binary is untouched.

Comment 4 errata-xmlrpc 2026-05-20 04:05:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:19521 https://access.redhat.com/errata/RHSA-2026:19521

Comment 5 errata-xmlrpc 2026-05-20 06:48:55 UTC
This issue has been addressed in the following products:

  NVIDIA for RHEL 10

Via RHSA-2026:19540 https://access.redhat.com/errata/RHSA-2026:19540

Comment 6 errata-xmlrpc 2026-05-20 12:15:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:19569 https://access.redhat.com/errata/RHSA-2026:19569

Comment 7 errata-xmlrpc 2026-05-20 12:57:54 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:19568 https://access.redhat.com/errata/RHSA-2026:19568

Comment 8 errata-xmlrpc 2026-05-20 13:01:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:19664 https://access.redhat.com/errata/RHSA-2026:19664

Comment 9 errata-xmlrpc 2026-05-20 13:18:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:19666 https://access.redhat.com/errata/RHSA-2026:19666

Comment 10 errata-xmlrpc 2026-05-20 14:21:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:19705 https://access.redhat.com/errata/RHSA-2026:19705

Comment 11 errata-xmlrpc 2026-05-20 15:44:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:19711 https://access.redhat.com/errata/RHSA-2026:19711

Comment 12 errata-xmlrpc 2026-05-20 23:34:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:19875 https://access.redhat.com/errata/RHSA-2026:19875

Comment 13 errata-xmlrpc 2026-05-21 07:28:54 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:20051 https://access.redhat.com/errata/RHSA-2026:20051

Comment 14 errata-xmlrpc 2026-05-21 12:37:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:20130 https://access.redhat.com/errata/RHSA-2026:20130

Comment 15 errata-xmlrpc 2026-05-21 13:26:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:20054 https://access.redhat.com/errata/RHSA-2026:20054

Comment 16 errata-xmlrpc 2026-05-21 14:04:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:20129 https://access.redhat.com/errata/RHSA-2026:20129

Comment 17 errata-xmlrpc 2026-05-21 17:47:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:20299 https://access.redhat.com/errata/RHSA-2026:20299

Comment 19 errata-xmlrpc 2026-05-26 05:47:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:20593 https://access.redhat.com/errata/RHSA-2026:20593

Comment 20 Keith Grant 2026-05-26 13:12:08 UTC
@oarribas , our manifesting tools didn't identify those versions, but they're almost certainly affected. Would you please verify for me the versions of RHEL they're based on? I'll add them to the flaw and file trackers if necessary.

Comment 23 errata-xmlrpc 2026-06-03 14:16:08 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2026:21656 https://access.redhat.com/errata/RHSA-2026:21656

Comment 24 errata-xmlrpc 2026-06-03 16:21:23 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.20

Via RHSA-2026:21702 https://access.redhat.com/errata/RHSA-2026:21702

Comment 25 errata-xmlrpc 2026-06-04 16:33:18 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2026:21690 https://access.redhat.com/errata/RHSA-2026:21690

Comment 26 errata-xmlrpc 2026-06-04 16:59:25 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2026:21695 https://access.redhat.com/errata/RHSA-2026:21695

Comment 27 errata-xmlrpc 2026-06-04 21:14:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:23469 https://access.redhat.com/errata/RHSA-2026:23469

Comment 28 errata-xmlrpc 2026-06-04 21:18:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions

Via RHSA-2026:23471 https://access.redhat.com/errata/RHSA-2026:23471

Comment 29 errata-xmlrpc 2026-06-04 21:33:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:23470 https://access.redhat.com/errata/RHSA-2026:23470

Comment 30 errata-xmlrpc 2026-06-04 21:34:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:23468 https://access.redhat.com/errata/RHSA-2026:23468

Comment 31 errata-xmlrpc 2026-06-09 13:40:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Update Services for SAP Solutions

Via RHSA-2026:24814 https://access.redhat.com/errata/RHSA-2026:24814

Comment 32 errata-xmlrpc 2026-06-10 09:16:28 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.19

Via RHSA-2026:23245 https://access.redhat.com/errata/RHSA-2026:23245

Comment 33 errata-xmlrpc 2026-06-11 07:53:37 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2026:23233 https://access.redhat.com/errata/RHSA-2026:23233

Comment 34 errata-xmlrpc 2026-06-11 09:37:28 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.21

Via RHSA-2026:23240 https://access.redhat.com/errata/RHSA-2026:23240

Comment 35 errata-xmlrpc 2026-06-18 15:07:58 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2026:25044 https://access.redhat.com/errata/RHSA-2026:25044

Comment 37 errata-xmlrpc 2026-06-30 11:28:40 UTC
This issue has been addressed in the following products:

  NVIDIA for RHEL 10

Via RHSA-2026:33486 https://access.redhat.com/errata/RHSA-2026:33486

Comment 38 errata-xmlrpc 2026-07-01 11:16:16 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2026:28887 https://access.redhat.com/errata/RHSA-2026:28887