Researchers have disclosed a new variant in the DirtyFrag family of Linux local privilege escalation (LPE) vulnerabilities, named “Fragnesia.” The vulnerability impacts the Linux kernel’s XFRM ESP-in-TCP subsystem. The vulnerability allows unprivileged local attackers to modify read-only file contents in the kernel page cache and achieve root privileges through a deterministic page-cache corruption primitive.
Per the researcher who discovered Dirty Frag, Hyunwoo Kim, Fragnesia emerged as an unintended side effect of one of the patches addressing the original Dirty Frag vulnerabilities.
Technical Details
Fragnesia exploits a logic flaw in the Linux XFRM ESP-in-TCP implementation, specifically involving improper handling of shared page fragments during skb coalescing. The exploit abuses a scenario where file-backed pages are spliced into a TCP receive queue before the socket transitions into espintcp ULP mode. Once ESP processing is enabled, the kernel decrypts the queued data in-place, causing controlled corruption of the underlying page cache through AES-GCM keystream manipulation.
The exploit uses user and network namespaces to obtain CAP_NET_ADMIN privileges within an isolated namespace, installs a crafted ESP security association through NETLINK_XFRM, and repeatedly triggers controlled single-byte writes into cached file pages. Researchers demonstrated overwriting the first bytes of /usr/bin/su with a small ELF payload that invokes setresuid(0,0,0) and executes /bin/sh, resulting in a root shell. The modification exists only in page cache memory and does not alter the on-disk binary. Usage of AppArmor restrictions on unprivileged user namespaces, such as those default in Ubuntu, may serve as a partial mitigation, requiring additional bypasses for successful exploitation. However, unlike DirtyFrag, no host-level privileges are required.
Recommendations
Apply vendor kernel patches that address the underlying XFRM ESP-in-TCP vulnerability as they become available.
Until patches are deployed, disable the vulnerable modules for both Fragnesia and DirtyFrag, if not required:
rmmod esp4 esp6 rxrpc
printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/fragnesia.confRestrict or disable unprivileged user namespaces where operationally feasible.
Monitor systems for suspicious namespace creation, XFRM manipulation, or abnormal use of AF_ALG.
If exploitation is suspected, reboot affected systems or clear page cache contents to remove modified in-memory binaries:
echo 1 | tee /proc/sys/vm/drop_cachesHow Can Wiz Help?
Wiz customers can use the pre-built queries and advisory in the Wiz Threat Intel Center to search for relevant instances in their environment. Wiz Research will continue to update that advisory as the situation develops.
