Overview
- Researchers detailed Fragnesia, a new DirtyFrag-family flaw in the Linux XFRM ESP‑in‑TCP path, that lets an unprivileged user gain root by changing file data held only in memory.
- Fragnesia stems from mishandled shared page fragments during TCP skb coalescing followed by in‑place AES‑GCM decryption, which turns queued network data into controlled single‑byte writes to the kernel page cache.
- An attacker can use user and network namespaces to get CAP_NET_ADMIN in an isolated namespace, install crafted XFRM ESP state via NETLINK_XFRM, and flip bytes in cached pages such as /usr/bin/su without touching the disk.
- The V12 team released a working proof‑of‑concept and multiple Linux distributions published advisories, while Microsoft said a patch is available and urged fast updates, and CloudLinux said DirtyFrag mitigations cover this variant until patched kernels land.
- Recommended defenses include applying kernel updates when offered, disabling esp4/esp6 and related XFRM/IPsec features if not needed, restricting unprivileged user namespaces, monitoring for XFRM or namespace abuse, and noting that AppArmor limits can blunt exploitation attempts.