Home · Briefs · CTI Daily Brief — 2026-05-15
CVE-2026-46300 — Linux kernel: local privilege escalation via xfrm ESP-in-TCP ("Fragnesia"), PoC public
From CTI Daily Brief — 2026-05-15 · published 2026-05-15
CVE-2026-46300 (codename "Fragnesia") is a local privilege escalation vulnerability in the Linux kernel's xfrm IPsec subsystem, specifically in the ESP-over-TCP code path that provides NAT traversal fallback for IPsec connections (Wiz Research, 2026-05-13 · Help Net Security, 2026-05-14). The vulnerability was discovered by William Bowling of Zellic.io using Zellic's AI-agentic source code auditing tool; Wiz Research (whose researcher Hyunwoo Kim had previously discovered the related Dirty Frag vulnerability family) published the technical writeup. A working proof-of-concept demonstrating escalation from an unprivileged local user to root on unpatched kernels has been released (hosted at github.com/v12-security/pocs). Exploitation requires local code execution on the target — there is no known remote exploitation path absent a prior foothold or a co-chained remote vulnerability (e.g., an RCE that drops a low-privilege shell). Fragnesia is therefore primarily relevant as a post-compromise privilege-escalation primitive and as a jailbreak-class risk in shared compute environments: VPS and bare-metal hosting providers, university Linux clusters, multi-tenant cloud workloads running on shared kernels, and container environments where the kernel namespace boundary can be crossed. MITRE ATT&CK: T1068 (Exploitation for Privilege Escalation). No in-the-wild exploitation reported as of 2026-05-15. Affected: Linux kernels shipping the xfrm ESP-in-TCP implementation across the 5.x and 6.x LTS series — consult your distribution's security bulletin for the exact affected package version range. Distributions shipping patches as of 2026-05-15 include upstream Linux and major vendors (Ubuntu, Debian, RHEL, SUSE); apply the available kernel update and reboot. Interim workaround: disable the xfrm_espintcp kernel module where IPsec ESP-over-TCP is not operationally required (modprobe -r esp6_offload esp4_offload where applicable); also consider restricting CAP_NET_ADMIN capability to reduce the xfrm attack surface in multi-tenant environments.
CVE Summary Table
| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-2026-20182 | Cisco Catalyst SD-WAN Controller / Manager | 10.0 (v3.1) | n/a | Yes (2026-05-14) | Yes — UAT-8616 + 10+ clusters | 20.9.9.1 / 20.12.7.1 / 20.15.5.2 | Cisco PSIRT |
| CVE-2026-42945 | NGINX Open Source 0.6.27–1.30.0; NGINX Plus R32–R36; NGINX Ingress Controller, Gateway Fabric, F5 WAF/App Protect | 9.2 (v4.0) / 8.1 (v3.1) | n/a | No | No (PoC public) | NGINX OS 1.30.1 / Plus R36 P4 | depthfirst / NCSC-CH |
| CVE-2026-46300 | Linux kernel xfrm ESP-in-TCP subsystem ("Fragnesia") — LPE, local only | n/a | n/a | No | No (PoC public) | Distro kernel updates (2026-05-13+) | Wiz Research |
| CVE-2026-45793 | PHP Composer (1.x, 2.x) — GitHub Actions token disclosure in error output | n/a | n/a | No | No | Composer 2.9.8 / 2.2.28 / 1.10.28 | Packagist blog |