Fedora Account System
Red Hat Associate
Red Hat Customer
Fragnesia is a universal Linux local privilege escalation exploit, discovered by William Bowling with the V12 team. Fragnesia is a member of the Dirty Frag vulnerability class. This is a separate bug in the ESP/XFRM from dirtyfrag which has received its own patch. However, it is in the same surface and the mitigation is the same as for dirtyfrag. It abuses a logic bug in the Linux XFRM ESP-in-TCP subsystem to achieve arbitrary byte writes into the kernel page cache of read-only files, without requiring any race condition. The technique extends the page-cache write bug class that includes Dirty Pipe: when a TCP socket transitions to espintcp ULP mode after data has already been spliced from a file into the receive queue, the kernel processes the queued file pages as ESP ciphertext. The AES-GCM keystream byte at counter block position 2, byte 0 is XORed directly into the cached file page. By selecting the IV nonce to produce a desired keystream byte, any target byte in the file can be set to any value — one byte per trigger invocation. The exploit builds a 256-entry lookup table mapping each possible keystream byte to its corresponding nonce, then iterates over a payload, firing the splice/ULP race for each byte that needs changing. It writes a small position-independent ELF stub (setresuid/setresgid/execve /bin/sh) over the first 192 bytes of /usr/bin/su in the page cache, then calls execve("/usr/bin/su") to obtain a root shell. The page cache modification is not backed to disk; the on-disk binary is untouched.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Red Hat Enterprise Linux 8.8 Telecommunications Update Service Via RHSA-2026:19521 https://access.redhat.com/errata/RHSA-2026:19521
This issue has been addressed in the following products: NVIDIA for RHEL 10 Via RHSA-2026:19540 https://access.redhat.com/errata/RHSA-2026:19540
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2026:19569 https://access.redhat.com/errata/RHSA-2026:19569
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:19568 https://access.redhat.com/errata/RHSA-2026:19568
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:19664 https://access.redhat.com/errata/RHSA-2026:19664
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:19666 https://access.redhat.com/errata/RHSA-2026:19666
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2026:19705 https://access.redhat.com/errata/RHSA-2026:19705
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2026:19711 https://access.redhat.com/errata/RHSA-2026:19711
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Via RHSA-2026:19875 https://access.redhat.com/errata/RHSA-2026:19875
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2026:20051 https://access.redhat.com/errata/RHSA-2026:20051
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On Via RHSA-2026:20130 https://access.redhat.com/errata/RHSA-2026:20130
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2026:20054 https://access.redhat.com/errata/RHSA-2026:20054
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.6 Extended Update Support Via RHSA-2026:20129 https://access.redhat.com/errata/RHSA-2026:20129
This issue has been addressed in the following products: Red Hat Enterprise Linux 10.0 Extended Update Support Via RHSA-2026:20299 https://access.redhat.com/errata/RHSA-2026:20299
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Via RHSA-2026:20593 https://access.redhat.com/errata/RHSA-2026:20593
@oarribas , our manifesting tools didn't identify those versions, but they're almost certainly affected. Would you please verify for me the versions of RHEL they're based on? I'll add them to the flaw and file trackers if necessary.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.18 Via RHSA-2026:21656 https://access.redhat.com/errata/RHSA-2026:21656
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.20 Via RHSA-2026:21702 https://access.redhat.com/errata/RHSA-2026:21702
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2026:21690 https://access.redhat.com/errata/RHSA-2026:21690
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2026:21695 https://access.redhat.com/errata/RHSA-2026:21695
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Via RHSA-2026:23469 https://access.redhat.com/errata/RHSA-2026:23469
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Via RHSA-2026:23471 https://access.redhat.com/errata/RHSA-2026:23471
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:23470 https://access.redhat.com/errata/RHSA-2026:23470
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.6 Extended Update Support Via RHSA-2026:23468 https://access.redhat.com/errata/RHSA-2026:23468
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Update Services for SAP Solutions Via RHSA-2026:24814 https://access.redhat.com/errata/RHSA-2026:24814
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.19 Via RHSA-2026:23245 https://access.redhat.com/errata/RHSA-2026:23245
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.15 Via RHSA-2026:23233 https://access.redhat.com/errata/RHSA-2026:23233
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.21 Via RHSA-2026:23240 https://access.redhat.com/errata/RHSA-2026:23240
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.16 Via RHSA-2026:25044 https://access.redhat.com/errata/RHSA-2026:25044
This issue has been addressed in the following products: NVIDIA for RHEL 10 Via RHSA-2026:33486 https://access.redhat.com/errata/RHSA-2026:33486