{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/wiz/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","linux","kernel"],"_cs_type":"threat","_cs_vendors":["Wiz"],"content_html":"\u003cp\u003eResearchers have disclosed a new variant in the DirtyFrag family of Linux local privilege escalation (LPE) vulnerabilities, named “Fragnesia.” This vulnerability impacts the Linux kernel’s XFRM ESP-in-TCP subsystem. It allows unprivileged local attackers to modify read-only file contents in the kernel page cache and achieve root privileges through a deterministic page-cache corruption primitive. According to the researcher who discovered Dirty Frag, Hyunwoo Kim, Fragnesia emerged as an unintended side effect of one of the patches addressing the original Dirty Frag vulnerabilities. Usage of AppArmor restrictions on unprivileged user namespaces may serve as a partial mitigation, but unlike DirtyFrag, no host-level privileges are required.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a system running a vulnerable Linux kernel.\u003c/li\u003e\n\u003cli\u003eAttacker creates user and network namespaces to gain CAP_NET_ADMIN privileges within an isolated namespace.\u003c/li\u003e\n\u003cli\u003eThe attacker installs a crafted ESP security association through NETLINK_XFRM.\u003c/li\u003e\n\u003cli\u003eFile-backed pages are spliced into a TCP receive queue before the socket transitions into espintcp ULP mode.\u003c/li\u003e\n\u003cli\u003eESP processing is enabled, triggering in-place decryption of queued data by the kernel.\u003c/li\u003e\n\u003cli\u003eThis decryption process causes controlled corruption of the underlying page cache through AES-GCM keystream manipulation.\u003c/li\u003e\n\u003cli\u003eThe attacker repeatedly triggers controlled single-byte writes into cached file pages.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites the first bytes of /usr/bin/su with a small ELF payload that invokes setresuid(0,0,0) and executes /bin/sh, resulting in a root shell. The modification exists only in page cache memory and does not alter the on-disk binary.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of Fragnesia allows an unprivileged local attacker to gain root privileges on a vulnerable Linux system. This could lead to complete system compromise, data theft, and denial of service. The vulnerability targets the core kernel functionality, affecting a broad range of Linux distributions and potentially impacting a large number of systems. The exploit overwrites the /usr/bin/su binary in memory to achieve root access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply vendor kernel patches that address the underlying XFRM ESP-in-TCP vulnerability as they become available.\u003c/li\u003e\n\u003cli\u003eUntil patches are deployed, disable the vulnerable modules for both Fragnesia and DirtyFrag by running \u003ccode\u003ermmod esp4 esp6 rxrpc\u003c/code\u003e and configuring module blocking via \u003ccode\u003e/etc/modprobe.d/fragnesia.conf\u003c/code\u003e as described in the overview.\u003c/li\u003e\n\u003cli\u003eRestrict or disable unprivileged user namespaces where operationally feasible to limit the attack surface, as mentioned in the overview.\u003c/li\u003e\n\u003cli\u003eMonitor systems for suspicious namespace creation, XFRM manipulation, or abnormal use of AF_ALG, as mentioned in the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T13:08:45Z","date_published":"2026-05-13T13:08:45Z","id":"https://feed.craftedsignal.io/briefs/2026-05-fragnesia-lpe/","summary":"A new local privilege escalation vulnerability in the Linux kernel's XFRM ESP-in-TCP subsystem, named \"Fragnesia,\" allows unprivileged local attackers to modify read-only file contents in the kernel page cache and achieve root privileges through a deterministic page-cache corruption.","title":"Fragnesia: Linux Kernel Local Privilege Escalation via ESP-in-TCP","url":"https://feed.craftedsignal.io/briefs/2026-05-fragnesia-lpe/"}],"language":"en","title":"CraftedSignal Threat Feed — Wiz","version":"https://jsonfeed.org/version/1.1"}