In the core Linux A fourth vulnerability (CVE-2026-46300) has been identified in the last two weeks. This vulnerability allows an unprivileged user to gain root privileges by overwriting data in the page cache. The vulnerability has been codenamed Fragnesia, or Copy Fail 3.0. The vulnerability is similar to the previously disclosed Copy Fail and Dirty Frag vulnerabilities. Like Dirty Frag, the new vulnerability exists in the xfrm-ESP subsystem, but is caused by a different error and requires a separate fix. A working exploit is available.
The vulnerability manifests itself in kernels Linux, released after May 5th, due to accidental activation of the Dirty Frag vulnerability patch. To address the Fragnesia kernel vulnerability Linux A fix was proposed. Analysis of this fix revealed it to be insufficient, after which a second patch was prepared.
The vulnerability exists in the xfrm subsystem's implementation of the Encapsulating Security Payload (ESP) encapsulation mechanism in TCP (ESP-in-TCP, RFC 8229), which is used to tunnel IPsec traffic over TCP. To avoid unnecessary buffering, operations using the AES-GCM algorithm were performed in-place by performing an XOR operation on data in the page cache. A logical error created conditions that allowed overwriting a single byte in the page cache at a specified offset. Repeating these operations allowed the contents of any file in the page cache to be modified byte by byte.
All file read operations first retrieve the contents from the page cache. If the data in the page cache is modified, file read operations will return substituted data, not the actual information stored on the drive. Exploitation of the vulnerability consists of modifying the page cache for an executable file with the suid root flag, which is previously read to be inserted into the page cache. In the exploit proposed by the researchers, the first 192 bytes of the /usr/bin/su file in the page cache are overwritten with code for launching /usr/bin/sh. Subsequent execution of the "su" utility results in the modified copy from the page cache being loaded into memory, not the original executable file from the drive.
To exploit the Fragnesia vulnerability, user namespaces must be allowed on the system. Ubuntu This operation is disabled by default, but can be enabled via the "kernel.apparmor_restrict_unprivileged_userns=0" sysctl or AppArmor profiles. In other distributions, access to the "user namespace" for unprivileged users depends on the "kernel.unprivileged_userns_clone" sysctl setting (if 0, it is disabled).
Kernel patch updates Linux and kernel packages in distributions have not yet been published. The status of vulnerability fixes in distributions can be assessed on these pages: Debian, Ubuntu, SUSE/openSUSE, RHEL, Gentoo, Arch, Fedora. As a workaround, you can block the loading of the esp4 and esp6 kernel modules:
sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 2>/dev/null; true"
Source: opennet.ru
