Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreigyfbvj2k65wit5nvjq7kvgshwuxik3kya6bxpi5my4a6iii56vcm",
    "uri": "at://did:plc:awj2q63kg2v3k5xwsjh2uoe3/app.bsky.feed.post/3mm2efmkepo32"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreigqgtuakxoipyq5vem46owucvgnoo7xdlrxwfh2fqoqdms43zvaou"
    },
    "mimeType": "image/jpeg",
    "size": 169358
  },
  "description": "Fragnesia, the latest local privilege escalation vulnerability in the same family as Dirty Frag, emerges as an “unintended side effect of one of the patches addressing the original Dirty Frag vulnerabilities” according to the original creator of Dirty Frag, Hyunwood Kim.",
  "path": "/news/2026/05/17/dirty-frag-sequel-continues-the-streak-of-linux-kernel-privilege-escalation-vulnerabilities/",
  "publishedAt": "2026-05-17T12:28:54.000Z",
  "site": "https://www.privacyguides.org",
  "tags": [
    "Fragnesia",
    "Dirty Frag",
    "memory safety",
    "William Bowling",
    "V12",
    "AppArmor",
    "Microsoft Threat Intelligence",
    "The Register"
  ],
  "textContent": "Fragnesia, the latest local privilege escalation vulnerability in the same family as Dirty Frag, emerges as an “unintended side effect of one of the patches addressing the original Dirty Frag vulnerabilities” according to the original creator of Dirty Frag, Hyunwood Kim.\n\nThis vulnerability is another logic flaw, meaning there’s no need for attackers to exploit memory safety issues or race conditions, it’s just a problem with how the program runs normally.\n\nThe vulnerability was discovered by William Bowling with the V12 team.\n\nUnlike Dirty Frag, Fragnesia requires no host-level privileges.\n\nFragnesia also doesn’t touch files on the disk, it only modifies the in-memory page cache, so file-integrity monitoring is useless against it.\n\nAppArmor, such as what’s enabled by default in Ubuntu, may serve as a partial mitigation and require extra steps to successfully exploit a machine.\n\nAs always, the recommendations are to install patches from your Linux distribution as quickly as possible as they’re being shipped.\n\nThe flaw lies in the same XFRM ESP-in-TCP subsystem as Dirty Frag.\n\nAccording to Microsoft Threat Intelligence, the exploit corrupts the “page cache memory of the `/usr/bin/su` binary, which in turn leads to launching a shell with root privilege.”\n\nFragnesia isn’t constrained to the `su` binary, though. “[I]t can modify any file readable by the user, including `/etc/passwd`.”\n\nMicrosoft’s recommendations are to disable esp4, esp6, and related XFRM/IPsec functionality, restrict unnecessary local shell access, harden containerized workloads, and increase monitoring for abnormal privilege escalation activity.\n\nThe Register describes the situation quite nicely:\n\n> The Linux networking stack is starting to look less like infrastructure and more like a root exploit vending machine.\n\nIt’s hard to disagree. When so many severe vulnerabilities of the same class appear in such quick succession, this one even allegedly caused by a patch of a previous vulnerability, it starts to look like a systemic failure.",
  "title": "Dirty Frag Sequel Continues the Streak of Linux Kernel Privilege Escalation Vulnerabilities",
  "updatedAt": "2026-05-17T12:28:55.022Z"
}