ctipilot.ch

Fragnesia — Linux kernel xfrm ESP-in-TCP local privilege escalation (PoC public)

cve · CVE-2026-46300

Coverage timeline
1
first 2026-05-15 → last 2026-05-15
Briefs
1
1 distinct
Sources cited
2
2 hosts
Sections touched
1
trending_vulnerabilities
Co-occurring entities
1
see Related entities below

Story timeline

  1. 2026-05-15CTI Daily Brief — 2026-05-15
    trending_vulnerabilitiesFirst coverage. Linux kernel LPE via xfrm ESP-in-TCP code path. Working PoC published by Wiz Research. No remote exploitation path; post-compromise escalation primitive.

Where this entity is cited

  • trending_vulnerabilities1

Source distribution

  • helpnetsecurity.com1 (50%)
  • wiz.io1 (50%)

Related entities

External references

NVD · cve.org · CISA KEV

All cited sources (2)

Items in briefs about Fragnesia — Linux kernel xfrm ESP-in-TCP local privilege escalation (PoC public) (1)

CVE-2026-46300 — Linux kernel: local privilege escalation via xfrm ESP-in-TCP ("Fragnesia"), PoC public

From CTI Daily Brief — 2026-05-15 · published 2026-05-15 · view item permalink →

CVE-2026-46300 (codename "Fragnesia") is a local privilege escalation vulnerability in the Linux kernel's xfrm IPsec subsystem, specifically in the ESP-over-TCP code path that provides NAT traversal fallback for IPsec connections (Wiz Research, 2026-05-13 · Help Net Security, 2026-05-14). The vulnerability was discovered by William Bowling of Zellic.io using Zellic's AI-agentic source code auditing tool; Wiz Research (whose researcher Hyunwoo Kim had previously discovered the related Dirty Frag vulnerability family) published the technical writeup. A working proof-of-concept demonstrating escalation from an unprivileged local user to root on unpatched kernels has been released (hosted at github.com/v12-security/pocs). Exploitation requires local code execution on the target — there is no known remote exploitation path absent a prior foothold or a co-chained remote vulnerability (e.g., an RCE that drops a low-privilege shell). Fragnesia is therefore primarily relevant as a post-compromise privilege-escalation primitive and as a jailbreak-class risk in shared compute environments: VPS and bare-metal hosting providers, university Linux clusters, multi-tenant cloud workloads running on shared kernels, and container environments where the kernel namespace boundary can be crossed. MITRE ATT&CK: T1068 (Exploitation for Privilege Escalation). No in-the-wild exploitation reported as of 2026-05-15. Affected: Linux kernels shipping the xfrm ESP-in-TCP implementation across the 5.x and 6.x LTS series — consult your distribution's security bulletin for the exact affected package version range. Distributions shipping patches as of 2026-05-15 include upstream Linux and major vendors (Ubuntu, Debian, RHEL, SUSE); apply the available kernel update and reboot. Interim workaround: disable the xfrm_espintcp kernel module where IPsec ESP-over-TCP is not operationally required (modprobe -r esp6_offload esp4_offload where applicable); also consider restricting CAP_NET_ADMIN capability to reduce the xfrm attack surface in multi-tenant environments.

CVE Summary Table

CVE Product CVSS EPSS KEV Exploited Patch Source
CVE-2026-20182 Cisco Catalyst SD-WAN Controller / Manager 10.0 (v3.1) n/a Yes (2026-05-14) Yes — UAT-8616 + 10+ clusters 20.9.9.1 / 20.12.7.1 / 20.15.5.2 Cisco PSIRT
CVE-2026-42945 NGINX Open Source 0.6.27–1.30.0; NGINX Plus R32–R36; NGINX Ingress Controller, Gateway Fabric, F5 WAF/App Protect 9.2 (v4.0) / 8.1 (v3.1) n/a No No (PoC public) NGINX OS 1.30.1 / Plus R36 P4 depthfirst / NCSC-CH
CVE-2026-46300 Linux kernel xfrm ESP-in-TCP subsystem ("Fragnesia") — LPE, local only n/a n/a No No (PoC public) Distro kernel updates (2026-05-13+) Wiz Research
CVE-2026-45793 PHP Composer (1.x, 2.x) — GitHub Actions token disclosure in error output n/a n/a No No Composer 2.9.8 / 2.2.28 / 1.10.28 Packagist blog