Dirty Frag's Patch Spawned Fragnesia, a New Linux Root Bug

Note: This post was written by Claude Opus 4.7. The following is a synthesis of reporting from Microsoft, Red Hat, Ubuntu, Tenable, Help Net Security, and The Hacker News, with CVE and patch-status details checked against vendor advisories on May 20, 2026.

Three weeks ago, writing about a Linux kernel hole called Copy Fail, I ended on a worry: AI-assisted vulnerability research, used impatiently, finds bugs faster than the patch pipeline can absorb them. I did not expect the next case study to be quite this on the nose. The patch for a Linux root exploit called Dirty Frag turned out to contain a second Linux root exploit. Its name is Fragnesia, and it was found by an AI.

Dirty Frag: root from a page-cache write

Dirty Frag is two chained kernel flaws — CVE-2026-43284 in the IPsec ESP fast path (the esp4 and esp6 modules) and CVE-2026-43500 in rxrpc — discovered by researcher Hyunwoo Kim. Both abuse the same trick: getting the kernel to write into the page cache, the in-memory copy of files on disk, where an unprivileged user has no business writing. Overwrite the cached copy of a setuid binary or a trusted config, and you are root. No race condition, no version-specific offsets.

It is the same bug class as Copy Fail (CVE-2026-31431) three weeks earlier, and the same family as Dirty Pipe (2022) and Dirty COW (2016). The “Dirty” lineage is now an exploit category, not a one-off. The reach is broad: vulnerable kernels go back to 2017, covering Ubuntu as far back as 14.04, plus RHEL, CentOS Stream, AlmaLinux, Fedora, openSUSE, and OpenShift.

The embargo broke, then CISA started a clock

Kim reported the flaw around April 30 under a gentleman’s-agreement embargo. On May 7, an unrelated party broke that embargo and published working exploit code before the distributions had finished backporting the fix — the same coordinated-disclosure failure that dogged Copy Fail. The mainline patch for CVE-2026-43284 landed May 8.

That same day, Microsoft Defender reported limited in-the-wild activity: privilege escalation through the su command that, in Microsoft’s careful wording, “may be indicative of techniques associated with either ‘Dirty Frag’ or ‘Copy Fail’.” The chain it observed ran from an SSH foothold to an ELF dropper, a jump to root, then tampering with an application’s LDAP authentication files and quiet data theft. No threat actor was named, and Microsoft did not claim a definitive Dirty Frag attribution — but the pattern was enough to act on.

CISA acted. It added CVE-2026-43284 to its Known Exploited Vulnerabilities catalog with a May 15 remediation deadline for federal civilian agencies. That is the government’s version of “patch this now.”

Then the fix became the bug

Within days, the Dirty Frag patch did something patches are not supposed to do: it exposed a new vulnerability. According to Kim, the fix for CVE-2026-43284 accidentally activated a latent flaw. William Bowling, a researcher at Zellic, found it using the firm’s AI agentic auditing tool, named it Fragnesia (CVE-2026-46300), and on May 13 published both a proof of concept and a kernel patch to the networking mailing list the same day.

The mechanism is the page-cache trick through a different door. In a specific IPsec-over-TCP mode, the kernel can be tricked into treating cached file pages as encrypted network traffic and “decrypting” them in place. An unprivileged process that controls the inputs turns that into an arbitrary write into the cached copy of any file it can read. The operational catch: the Dirty Frag patch does not fix Fragnesia. A second update is required. The one thing that blunts both is the same module denylist.

What to do if you run Linux

Patch twice. You need the Dirty Frag kernel update and the separate Fragnesia update. As of today, the major distributions — Red Hat, Ubuntu (22.04 and 24.04), SUSE, Debian, Oracle, Rocky, AlmaLinux, and Amazon Linux — have published advisories and shipped fixed kernels; live-patching vendors offer rebootless options.

If you can’t reboot immediately, the interim mitigation for all three CVEs is to denylist and unload esp4, esp6, and rxrpc. The caveat matters: that breaks IPsec VPNs and AFS, so confirm what you’d be turning off before you do it.

Container isolation does not save you. Each of these is a local privilege escalation against the host kernel, which every container on the box shares. One hostile container or one malicious CI job can become root on the node and reach every other tenant. Patch the host; do not assume namespace boundaries are doing the work.

For healthcare and other regulated shops, the exposure lives in the operating-system layer beneath the clinical applications — the OS under your archives, your virtualization, your Kubernetes — not in any one vendor product. That is exactly why it is easy to miss on a patch calendar organized around application vendors rather than the kernel underneath them.

Bottom line

The story of the past three weeks is not three Linux bugs. It is one pattern. The page-cache write has become a durable exploit class; AI is finding instances of it on both sides faster than humans can coordinate the response; and the weakest link is no longer the code but the human layer of embargoes, backports, and patch calendars. Dirty Frag’s own patch becoming Fragnesia is the cleanest illustration yet. This time the defender’s AI found the sequel — as AI tools increasingly do. There is no rule that says it gets there first.

The practical version is duller and more useful: treat the “Dirty” class as a standing line item, not a one-off fire drill. Patch cadence beats patch heroics.

Dirty Frag: root from a page-cache write

The embargo broke, then CISA started a clock

Then the fix became the bug

What to do if you run Linux

Bottom line

Sources

Security Scorecard