CVE-2026-46300

HIGH LAB

net: skbuff: propagate shared-frag marker through frag-transfer helpers

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 14 public exploits for CVE-2026-46300. PoCs published by nu11secur1ty, Unclecheng-li, 0xBlackash.

AI-analyzed exploit summary The provided content describes a Linux kernel privilege escalation exploit chain but lacks actual exploit code. It references external links (Patreon, GitHub) for the exploit and patch, which is characteristic of suspicious repositories.

Description

In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.

Exploits (14)

exploitdb SUSPICIOUS
by nu11secur1ty · textlocallinux
https://www.exploit-db.com/exploits/52591

The provided content describes a Linux kernel privilege escalation exploit chain but lacks actual exploit code. It references external links (Patreon, GitHub) for the exploit and patch, which is characteristic of suspicious repositories.

Classification
Suspicious 90%
Attack Type
Lpe
Complexity
Complex
Reliability
Theoretical
Target: Linux Kernel (various distributions)
No auth needed
Prerequisites: Local access to a vulnerable Linux system
devstral-2 · analyzed May 30, 2026 Full analysis →
github WORKING POC 359 stars
by Unclecheng-li · cpoc
https://github.com/Unclecheng-li/poc-lab/tree/main/CVE-2026-46300 Fragnesia

This repository contains a functional exploit for CVE-2026-46300, a Linux kernel local privilege escalation vulnerability. The exploit leverages page cache replacement via ESP-in-TCP/TCP coalesce to achieve byte-controlled pollution, allowing an attacker to modify the page cache of a read-only file (e.g., /usr/bin/su) to execute arbitrary code with elevated privileges.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (specific versions not specified, but requires unprivileged user namespace, XFRM, ESP-in-TCP, and AF_ALG support)
No auth needed
Prerequisites: unprivileged user namespace access · network namespace access · XFRM and ESP-in-TCP support in the kernel · AF_ALG ecb(aes) support · readable page cache of a target setuid binary
devstral-2 · analyzed May 25, 2026 Full analysis →
nomisec WORKING POC 3 stars
by 0xBlackash · poc
https://github.com/0xBlackash/CVE-2026-46300

The repository contains a functional local privilege escalation exploit for CVE-2026-46300, leveraging a logic flaw in the Linux kernel's socket buffer handling within the XFRM/ESP-in-TCP subsystem to achieve arbitrary byte writes in the kernel page cache.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux Kernel (XFRM/ESP-in-TCP subsystem)
No auth needed
Prerequisites: Unprivileged local access · Linux system with vulnerable kernel
devstral-2 · analyzed May 24, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Sentebale · poc
https://github.com/Sentebale/CVE-2026-46300

This PoC demonstrates a local privilege escalation (LPE) exploit leveraging Linux namespace isolation (CLONE_NEWUSER and CLONE_NEWNET) to gain root access. It uses unshare() to create new user and network namespaces, then spawns a shell with elevated privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel (likely versions with vulnerable namespace handling)
Auth required
Prerequisites: Local user access on a vulnerable Linux system · Python 3 environment
devstral-2 · analyzed May 24, 2026 Full analysis →
nomisec WRITEUP
by BenedictEjepu · poc
https://github.com/BenedictEjepu/CVE-2026-46300-Fragnesia---TryHackMe-Lab-Project

This repository documents the analysis of CVE-2026-46300, a Linux kernel page-cache corruption vulnerability that allows local privilege escalation by modifying cached file pages without altering the underlying disk files. The content appears to be a technical writeup based on a TryHackMe lab project.

Classification
Writeup 80%
Attack Type
Lpe
Complexity
Moderate
Reliability
Theoretical
Target: Linux kernel (version not specified)
Auth required
Prerequisites: Local access to the vulnerable system
devstral-2 · analyzed Jun 18, 2026 Full analysis →
github WORKING POC
by 1neptune · gopoc
https://github.com/1neptune/Fragnesia

This repository contains a functional Go-based exploit for CVE-2026-46300, leveraging a kernel page-cache write primitive via TCP_ULP espintcp to achieve local privilege escalation (LPE). The exploit builds a keystream table for AES-GCM decryption, flips bytes in the page cache of /usr/bin/su, and spawns a root shell via a PTY.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (specific versions on Ubuntu, RHEL, Rocky Linux, CentOS Stream, Oracle Linux, openEuler)
No auth needed
Prerequisites: Unprivileged user access · Specific kernel versions vulnerable to CVE-2026-46300
devstral-2 · analyzed Jun 03, 2026 Full analysis →
github WORKING POC
by AzDevops143 · cpoc
https://github.com/AzDevops143/FRAGNESIA-Charan-cve-2026-46300

This repository contains a functional exploit PoC for CVE-2026-46300, demonstrating a kernel memory corruption vulnerability via TCP_ULP setsockopt and namespace escape techniques. The exploit includes a Docker-based test environment to simulate both mitigated and unmitigated scenarios.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux Kernel (specific version not specified)
No auth needed
Prerequisites: Linux environment with Docker · Kernel with vulnerable TCP_ULP implementation
devstral-2 · analyzed Jun 02, 2026 Full analysis →
nomisec WORKING POC
by AzDevops143 · poc
https://github.com/AzDevops143/fragnesia-cve-2026-46300

This repository contains a functional simulation of CVE-2026-46300, a privilege escalation vulnerability in Cisco Secure Command Center. The exploit leverages a logical flaw in the espintcp module to corrupt file-backed page cache, leading to arbitrary code execution with root privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Theoretical
Target: Cisco Secure Command Center (Fragnesia)
No auth needed
Prerequisites: Unprivileged user access · Local socket creation permissions · Target binary (/usr/bin/su) present
devstral-2 · analyzed Jun 02, 2026 Full analysis →
gitlab WORKING POC
by Koshmare-Blossom · poc
https://gitlab.com/Koshmare-Blossom/Fragnesia-go

This repository contains a functional Go exploit for CVE-2026-46300, leveraging a Linux kernel vulnerability in the XFRM ESP-in-TCP subsystem to achieve local privilege escalation (LPE). The exploit uses a controlled single-byte write primitive via AES-GCM decryption in the page cache to overwrite /usr/bin/su with a root shell payload.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (unpatched, specific version not specified)
No auth needed
Prerequisites: unpatched Linux kernel with vulnerable XFRM ESP-in-TCP implementation · ability to execute binaries on the target system
devstral-2 · analyzed May 25, 2026 Full analysis →
nomisec WORKING POC
by Koshmare-Blossom · poc
https://github.com/Koshmare-Blossom/Fragnesia-go

This repository contains a functional Go-based exploit for CVE-2026-46300, leveraging a Linux kernel vulnerability in the XFRM ESP-in-TCP subsystem to achieve local privilege escalation (LPE). The exploit uses a controlled single-byte write primitive via AES-GCM decryption in-place on page-cache pages, allowing arbitrary code execution as root.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (unpatched, specific version not specified)
No auth needed
Prerequisites: Unpatched Linux kernel with vulnerable XFRM ESP-in-TCP implementation · Local user access · Readable target file (e.g., /usr/bin/su)
devstral-2 · analyzed May 24, 2026 Full analysis →
nomisec WORKING POC
by First-John · poc
https://github.com/First-John/cve_2026_frag_family_fix

This repository contains a Go-based tool that mitigates CVE-2026-43500 and CVE-2026-43284 by disabling vulnerable kernel modules (esp4, esp6, rxrpc) and applying kernel updates. It includes functionality to detect vulnerable modules, apply hotfixes, and clean up artifacts post-update.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel (specific versions vulnerable to CVE-2026-43500 and CVE-2026-43284)
Auth required
Prerequisites: root access · vulnerable kernel modules loaded
devstral-2 · analyzed May 24, 2026 Full analysis →
nomisec WRITEUP
by Maxime288 · poc
https://github.com/Maxime288/Fragnesia-CVE-2026-46300

This repository provides a detailed technical analysis of CVE-2026-46300, a local privilege escalation vulnerability in the Linux kernel's XFRM ESP-in-TCP subsystem. It includes root cause analysis, patch information, and remediation steps but does not contain exploit code.

Classification
Writeup 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux Kernel (versions before May 13, 2026)
No auth needed
Prerequisites: Access to a vulnerable Linux system · User namespace capabilities
devstral-2 · analyzed May 24, 2026 Full analysis →
nomisec SUSPICIOUS
by ExploitEoom · poc
https://github.com/ExploitEoom/CVE-2026-46300

The repository contains no actual exploit code, only a README with instructions to clone and run a non-existent 'exploit' file. This is a social engineering lure designed to trick users into downloading external content.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: Linux kernel
No auth needed
Prerequisites: none
devstral-2 · analyzed May 24, 2026 Full analysis →
nomisec WORKING POC
by HORKimhab · poc
https://github.com/HORKimhab/CVE-2026-46300

This repository contains a functional local privilege escalation (LPE) exploit for CVE-2026-46300, targeting a logic bug in the Linux XFRM ESP-in-TCP subsystem. The exploit achieves arbitrary byte writes into the kernel page cache of read-only files by manipulating the ESP-in-TCP ULP mode transition and AES-GCM keystream bytes.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (versions before May 13, 2026)
No auth needed
Prerequisites: Unprivileged user namespace access (may require AppArmor adjustment on Ubuntu) · Readable target file in /tmp or /var/tmp
devstral-2 · analyzed May 24, 2026 Full analysis →

References (19)

Core 19
Core References

Scores

CVSS v3 7.8
EPSS 0.0158
EPSS Percentile 72.3%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY
Community Lab
docker pull nginx:alpine
+9 more repos

Details

CWE
CWE-787
Status published
Products (28)
Linux/Linux < 3.9
Linux/Linux 3.9
Linux/Linux 5.10.257 - 5.10.*
Linux/Linux 5.15.208 - 5.15.*
Linux/Linux 6.1.174 - 6.1.*
Linux/Linux 6.12.91 - 6.12.*
Linux/Linux 6.18.33 - 6.18.*
Linux/Linux 6.6.141 - 6.6.*
Linux/Linux 7.0.10 - 7.0.*
Linux/Linux 7.1
... and 18 more
Published May 23, 2026
Tracked Since May 23, 2026