Aggregator

Paul Lyons, principal deputy assistant secretary for cyber policy, also discussed the importance of cyber offense.

The post Pentagon cyber official calls advanced AI ‘revolutionary warfare’ appeared first on CyberScoop.

While AI tools present unique cybersecurity threats, they still rely on poor identity security by organizations to do the most damage, a White House official said Thursday. 

The post White House cyber official: identity security matters more than ever in the age of AI appeared first on CyberScoop.

A Russian state-sponsored hacking group known as Sandworm has been caught making a calculated pivot from compromised IT networks into operational technology systems that control physical infrastructure. The campaign is alarming because it does not rely on cutting-edge exploits. Instead, Sandworm walks through doors that were already left open, turning unresolved vulnerabilities into launchpads for […]

The post Sandworm Hackers Pivot From Compromised IT Systems Toward Critical OT Assets appeared first on Cyber Security News.

A Chinese state-linked hacking group known as FamousSparrow has quietly infiltrated an Azerbaijani oil and gas company, exploiting an unpatched Microsoft Exchange server to plant multiple backdoors inside the network. The attack ran from late December 2025 through late February 2026 and stands as one of the most detailed Chinese APT intrusions targeting energy infrastructure […]

The post Chinese APT Hackers Exploit Microsoft Exchange to Breach Energy Sector Network appeared first on Cyber Security News.

You must login to view this content

A new Linux kernel local privilege escalation exploit with a public proof-of-concept targets the same subsystem as Dirty Frag but requires a separate patch.

1. CVE-2026-46300 (Fragnesia) is the latest high severity local privilege escalation vulnerability in the Linux kernel, following the disclosure of both Dirty Frag and Copy Fail.
2. A public proof-of-concept is available and the exploit has been confirmed working on Ubuntu systems, though no in-the-wild exploitation has been reported.
3. A kernel patch was released on May 13; the existing Dirty Frag patches do not address this flaw, though the module blacklist mitigation protects against both.

Tenable's Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding Fragnesia, a new Linux kernel local privilege escalation vulnerability.

When was Fragnesia first disclosed?

On May 13, William Bowling of V12 Security publicly disclosed Fragnesia alongside a proof-of-concept exploit and a corresponding kernel patch. CVE-2026-46300 was assigned the same day.

What is Fragnesia?

Fragnesia is a local privilege escalation vulnerability in the Linux kernel's XFRM ESP-in-TCP subsystem. The name references how the socket buffer (skb) "forgets" that a frag is shared during coalescing. Specifically, when the kernel coalesces socket buffer fragments via skb_try_coalesce(), it fails to propagate the SKBFL_SHARED_FRAG flag that marks certain pages as shared with other subsystems. Without that flag, the kernel treats those file-cache-backed pages as safe to write.

How does Fragnesia relate to Dirty Frag?

Fragnesia belongs to the same vulnerability class as Dirty Frag (CVE-2026-43284/CVE-2026-43500) in that both achieve page-cache writes through the XFRM/ESP subsystem. However, they are distinct vulnerabilities:

The existing kernel patches for Dirty Frag do not fix Fragnesia. A separate patch is required.

How severe is Fragnesia?

Any local user on a system running a vulnerable kernel can exploit Fragnesia to gain root access. The exploit does not rely on a race condition. The technique uses user and network namespaces (enabled by default on most distributions) to obtain CAP_NET_ADMIN without requiring elevated host privileges.

The public PoC targets /usr/bin/su, modifying it in the page cache to grant root on execution. The on-disk binary is never changed, and a reboot or cache flush restores normal behavior. The technique is not limited to a single binary: any file readable by the attacker is a viable target, including [redacted].

Which Linux distributions are affected?

Fragnesia affects the same kernel versions as Dirty Frag. Any distribution shipping a kernel without the May 13 patch is vulnerable. The vulnerability was confirmed working on Ubuntu 6.8.0-111-generic (April 11, 2026 build) running on a Linode VPS.

Affected distributions include:

Amazon Linux is not affected as it does not ship the espintcp module. CloudLinux 7 is also unaffected.

As of May 14, Ubuntu's patch status remains "needs evaluation" across all releases. CloudLinux has patches in testing for CL9/CL10 and a KernelCare livepatch in validation.

Is there a proof-of-concept (PoC) available?

Yes. A public PoC was released on GitHub alongside the disclosure.

Are patches or mitigations available?

A kernel patch was submitted to the netdev mailing list on May 13. The fix ensures skb_try_coalesce() propagates the SKBFL_SHARED_FRAG marker, preventing in-place decryption of shared page-cache fragments.

AlmaLinux has released patched kernels for all supported releases:

For systems where an immediate kernel update is not feasible, the same module blacklist mitigation used for Dirty Frag is effective:

Organizations that applied this mitigation for Dirty Frag are already protected against Fragnesia. Organizations that applied only the kernel patches for Dirty Frag without the module blacklist are not protected and need the new patch.

Historical exploitation of Linux kernel vulnerabilities

The Linux kernel has been a recurring target for privilege escalation attacks. CISA's Known Exploited Vulnerabilities catalog contains entries for several Linux kernel flaws:

Copy Fail (CVE-2026-31431) was added to the KEV catalog on May 1. CVE-2026-46300 (Fragnesia) is not currently in the KEV catalog.

Tenable published an FAQ blog on Dirty Frag and Copy Fail, both of which are Linux kernel privilege escalation vulnerabilities disclosed in 2026.

Has Tenable released any product coverage for this vulnerability?

A list of Tenable plugins for this vulnerability can be found on the CVE-2026-46300 page as they're released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

• Fragnesia PoC and Technical Details (V12 Security)
• Kernel Patch (netdev mailing list)
• oss-security Discussion
• Dirty Frag FAQ (Tenable Blog)
• Copy Fail FAQ (Tenable Blog)

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.