Home · Live brief · Daily brief 2026-05-15
CVE-2026-46300 — Linux kernel: local privilege escalation via xfrm ESP-in-TCP ("Fragnesia"), PoC public
Part of run 2026-05-15-58b94fbd (intel · Claude Sonnet 4.6)
CVE-2026-46300 (codename "Fragnesia") is a local privilege escalation vulnerability in the Linux kernel's xfrm IPsec subsystem, specifically in the ESP-over-TCP code path that provides NAT traversal fallback for IPsec connections (Wiz Research, 2026-05-13 · Help Net Security, 2026-05-14). The vulnerability was discovered by William Bowling of Zellic.io using Zellic's AI-agentic source code auditing tool; Wiz Research (whose researcher Hyunwoo Kim had previously discovered the related Dirty Frag vulnerability family) published the technical writeup. A working proof-of-concept demonstrating escalation from an unprivileged local user to root on unpatched kernels has been released (hosted at github.com/v12-security/pocs). Exploitation requires local code execution on the target — there is no known remote exploitation path absent a prior foothold or a co-chained remote vulnerability (e.g., an RCE that drops a low-privilege shell). Fragnesia is therefore primarily relevant as a post-compromise privilege-escalation primitive and as a jailbreak-class risk in shared compute environments: VPS and bare-metal hosting providers, university Linux clusters, multi-tenant cloud workloads running on shared kernels, and container environments where the kernel namespace boundary can be crossed. MITRE ATT&CK: T1068 (Exploitation for Privilege Escalation). No in-the-wild exploitation reported as of 2026-05-15. Affected: Linux kernels shipping the xfrm ESP-in-TCP implementation across the 5.x and 6.x LTS series — consult your distribution's security bulletin for the exact affected package version range. Distributions shipping patches as of 2026-05-15 include upstream Linux and major vendors (Ubuntu, Debian, RHEL, SUSE); apply the available kernel update and reboot. Interim workaround: disable the xfrm_espintcp kernel module where IPsec ESP-over-TCP is not operationally required (modprobe -r esp6_offload esp4_offload where applicable); also consider restricting CAP_NET_ADMIN capability to reduce the xfrm attack surface in multi-tenant environments.
CVE Summary Table
| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-2026-20182 | Cisco Catalyst SD-WAN Controller / Manager | 10.0 (v3.1) | n/a | Yes (2026-05-14) | Yes — UAT-8616 + 10+ clusters | 20.9.9.1 / 20.12.7.1 / 20.15.5.2 | Cisco PSIRT |
| CVE-2026-42945 | NGINX Open Source 0.6.27–1.30.0; NGINX Plus R32–R36; NGINX Ingress Controller, Gateway Fabric, F5 WAF/App Protect | 9.2 (v4.0) / 8.1 (v3.1) | n/a | No | No (PoC public) | NGINX OS 1.30.1 / Plus R36 P4 | depthfirst / NCSC-CH |
| CVE-2026-46300 | Linux kernel xfrm ESP-in-TCP subsystem ("Fragnesia") — LPE, local only | n/a | n/a | No | No (PoC public) | Distro kernel updates (2026-05-13+) | Wiz Research |
| CVE-2026-45793 | PHP Composer (1.x, 2.x) — GitHub Actions token disclosure in error output | n/a | n/a | No | No | Composer 2.9.8 / 2.2.28 / 1.10.28 | Packagist blog |
Action items
- Apply Linux kernel security updates to patch CVE-2026-46300 "Fragnesia" — Linux kernel LPE via xfrm ESP-in-TCP with a working public PoC; the vulnerability enables any local user to escalate to root. Critical for shared compute environments (VPS, container hosts, HPC clusters, university Linux systems). Apply the kernel update from your distribution and reboot; where immediate patching is not feasible, disable the
xfrm_espintcpmodule and restrictCAP_NET_ADMINcapability.