A fix for the previous Linux kernel critical exploit has seemingly introduced another critical local privilege escalation exploit, a third in two weeks. Security professionals are now frustrated with disclosures dropping without any embargoes for defenders to prepare.
A Pandora’s box of Linux kernel vulnerabilities has been opened.
Every Linux kernel since 2017 is vulnerable to a local privilege escalation exploit, as demonstrated by the first vulnerability, dubbed Copy Fail, two weeks ago.
As kernel maintainers and major Linux distributions scrambled to patch it, another major exploit dropped, named “Dirty Frag,” achieving the same result as other kernel vulnerabilities.
It now appears that the mainline kernel patch has introduced another vulnerability.
William Bowling, a security researcher, and the V12 security team dropped a universal local privilege escalation vulnerability, called Fragnesia, on GitHub.
It is a new variant of the previous Dirty Frag vulnerability and, similarly, exploits the XFRM ESP-in-TCP subsystem to achieve a kernel memory-write primitive, the Microsoft Threat Intelligence team explained.
All the vulnerabilities corrupt the page cache memory of system executables like usr/bin/su, tricking the kernel into running attacker-injected code when they are executed the next time. Ultimately, it opens a shell with root privileges.
Critical flaw after the patch?
Hyunwoo Kim, a security researcher who discovered and reported the original Dirty Frag vulnerability, analyzed the new exploit and said that the patch, which fixed Dirty Frag, accidentally activated the code path for Fragnesia, which was previously dormant.
“This vulnerability is a path that was accidentally activated after the introduction of f4c50a4034e6 (2026-05-05), the patch for CVE-2026-43284 in the Dirty Frag chain. In other words, the effective vulnerability window is from f4c50a4034e6 (2026-05-05) to upstream – approximately 9 days,” the security researcher said in an email to the Openwall Open Source Security mailing list.
The Cybernews community is talking about this. Be a part of the conversation.
Kim recommends keeping the Dirty Frag mitigations in place, while the patch for Fragnesia is underway.
The researcher also notes that the new flaw requires the attacker to have permission to create user namespaces. This means that some distributions that restrict unprivileged user namespaces with AppArmor, such as Ubuntu, would block the exploit. However, attackers can still make it work by chaining Fragnesia with other separate vulnerabilities.
Frustration over disregard for security
Some security professionals are now calling out researchers publicly releasing exploits while they’re “hot.”
“Am I correct in my understanding that this ‘disclosure’ was done solely by dropping the code on GitHub, with no advance notification to the Linux kernel or distros? Does that seem reasonable because it's adjacent to the vulnerability whose coattails it rides?” Jan Schaumann, a Chief Information Security Architect at Akamai and an Adjunct Professor of Computer Science at Stevens Institute of Technology, said, criticizing how the disclosure was handled.
The expert acknowledges that the realistic utility of embargoes is shrinking dramatically.
“But this ‘drop it while it's hot’ approach to seemingly promote yet another AI vulnerability discovery service is a trend I can't abide.”
If patching for Fragnesia is not yet possible, Microsoft recommends assessing whether esp4, esp6, and related xfrm/IPsec kernel functionality can be temporarily disabled safely, restricting unnecessary local shell access, hardening containerized workloads, and monitoring for abnormal activity.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked