Skip to main content

Linux Kernel CVE-2026-46300

| EUVDEUVD-2026-31535 HIGH
Write-what-where Condition (CWE-123)
2026-05-13 secalert@redhat.com GHSA-47jg-vqrv-5f8v
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Red Hat
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 14, 2026 - 16:40 vuln.today
CVE Published
May 13, 2026 - 12:00 nvd
HIGH 7.8

DescriptionNVD

A flaw was found in the Linux kernel's XFRM ESP-in-TCP subsystem. This vulnerability, known as Fragnesia, allows a local attacker to achieve arbitrary byte writes into the kernel page cache of read-only files, enabling local privilege escalation through kernel structure overwriting.

AnalysisAI

Local privilege escalation in Linux kernel XFRM ESP-in-TCP subsystem (Fragnesia vulnerability) allows authenticated local attackers to overwrite kernel memory structures by exploiting arbitrary byte writes into the kernel page cache of read-only files. CVSS score of 7.8 reflects high impact across confidentiality, integrity, and availability. Low attack complexity (AC:L) and no user interaction requirement (UI:N) make this exploitable by any local user with basic privileges. No confirmed active exploitation (not in CISA KEV) or public proof-of-concept identified at time of analysis, but the specific vulnerability name 'Fragnesia' suggests coordinated disclosure with security research community.

Technical ContextAI

The Linux kernel XFRM (transform) framework handles IPsec transformations including ESP (Encapsulated Security Payload) protocol operations. The ESP-in-TCP encapsulation feature allows ESP packets to traverse NAT devices by wrapping them in TCP segments. CWE-123 (Write-what-where Condition) indicates the vulnerability allows an attacker to control both the memory address (where) and the data (what) being written. The flaw enables manipulation of the kernel page cache-a memory management component that caches file contents-specifically targeting read-only files which should be immutable. By achieving arbitrary writes into this cache, an attacker can modify kernel data structures that rely on cached file content integrity, leading to privilege escalation when these corrupted structures are subsequently used by the kernel. This represents a fundamental breakdown in memory protection boundaries between user space and kernel space within the XFRM subsystem's handling of encapsulated traffic.

RemediationAI

Apply vendor-released kernel security updates as soon as available from your Linux distribution maintainer. Red Hat, Ubuntu, Debian, SUSE, and other major distributions will publish kernel patches addressing CVE-2026-46300 through their standard security update channels. No specific patched kernel version has been confirmed in available data-monitor your distribution's security mailing lists and repositories. For Red Hat-based systems, check for updates via 'yum update kernel' or 'dnf update kernel' and subscribe to Red Hat Security Advisories. For Debian/Ubuntu systems, monitor USN announcements and apply updates with 'apt update && apt upgrade'. Reboot systems after kernel updates to load the patched version. As a temporary workaround until patches are deployed, disable or unload the ESP-in-TCP kernel module if your environment does not require IPsec NAT traversal functionality-this eliminates the vulnerable code path but breaks ESP-in-TCP VPN connectivity. Use 'modprobe -r xfrm_espintcp' to unload (note: module name may vary by kernel version). For containerized environments, update the host kernel rather than container images, as this is a kernel-level vulnerability. Restricting local user access reduces exposure but does not eliminate risk from compromised user accounts.

Vendor StatusVendor

SUSE

Severity: High
Product Status
Container suse/sle-micro-rancher/5.3:latest Container suse/sle-micro-rancher/5.4:5.4.4.5.109 Image SLES15-SP4-BYOS Image SLES15-SP4-BYOS-Azure Image SLES15-SP4-BYOS-EC2 Image SLES15-SP4-BYOS-GCE Image SLES15-SP4-CHOST-BYOS Image SLES15-SP4-CHOST-BYOS-Aliyun Image SLES15-SP4-CHOST-BYOS-Azure Image SLES15-SP4-CHOST-BYOS-EC2 Image SLES15-SP4-CHOST-BYOS-GCE Image SLES15-SP4-CHOST-BYOS-SAP-CCloud Image SLES15-SP4-HPC-BYOS Image SLES15-SP4-HPC-BYOS-Azure Image SLES15-SP4-HPC-BYOS-EC2 Image SLES15-SP4-HPC-BYOS-GCE Image SLES15-SP4-HPC-EC2 Image SLES15-SP4-HPC-GCE Image SLES15-SP4-Hardened-BYOS Image SLES15-SP4-Hardened-BYOS-Azure Image SLES15-SP4-Hardened-BYOS-EC2 Image SLES15-SP4-Hardened-BYOS-GCE Image SLES15-SP4-SAP Image SLES15-SP4-SAP-Azure Image SLES15-SP4-SAP-EC2 Image SLES15-SP4-SAP-GCE Image SLES15-SP4-SAPCAL Image SLES15-SP4-SAPCAL-Azure Image SLES15-SP4-SAPCAL-EC2 Image SLES15-SP4-SAPCAL-GCE Affected
Container suse/sle-micro/base-5.5:2.0.4-5.8.274 Image SLES15-SP5-BYOS-Azure Image SLES15-SP5-BYOS-EC2 Image SLES15-SP5-BYOS-GCE Image SLES15-SP5-CHOST-BYOS-Aliyun Image SLES15-SP5-CHOST-BYOS-Azure Image SLES15-SP5-CHOST-BYOS-EC2 Image SLES15-SP5-CHOST-BYOS-GCE Image SLES15-SP5-CHOST-BYOS-GDC Image SLES15-SP5-CHOST-BYOS-SAP-CCloud Image SLES15-SP5-EC2 Image SLES15-SP5-GCE Image SLES15-SP5-HPC-BYOS-Azure Image SLES15-SP5-HPC-BYOS-EC2 Image SLES15-SP5-HPC-BYOS-GCE Image SLES15-SP5-Hardened-BYOS-Azure Image SLES15-SP5-Hardened-BYOS-EC2 Image SLES15-SP5-Hardened-BYOS-GCE Image SLES15-SP5-SAPCAL-Azure Image SLES15-SP5-SAPCAL-EC2 Image SLES15-SP5-SAPCAL-GCE Affected
Container suse/sle-micro/kvm-5.5:2.0.4-3.5.529 Affected
Container suse/sle-micro/rt-5.5:2.0.4-4.5.586 Affected
Image SLES12-SP5-Azure-BYOS Image SLES12-SP5-Azure-HPC-BYOS Image SLES12-SP5-EC2-BYOS Image SLES12-SP5-EC2-ECS-On-Demand Image SLES12-SP5-EC2-On-Demand Image SLES12-SP5-GCE-BYOS Image SLES12-SP5-GCE-On-Demand Affected

Share

CVE-2026-46300 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy