CVE-2026-46300

HIGH LAB

net: skbuff: propagate shared-frag marker through frag-transfer helpers

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 17 public exploits for CVE-2026-46300. PoCs published by nu11secur1ty, Unclecheng-li, 0xBlackash.

AI-analyzed exploit summary The provided content describes a Linux kernel privilege escalation exploit chain but lacks actual exploit code. It references external links (Patreon, GitHub) for the exploit and patch, which is characteristic of suspicious repositories.

Description

In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.

Exploits (17)

exploitdb SUSPICIOUS
by nu11secur1ty · textlocallinux
https://www.exploit-db.com/exploits/52591

The provided content describes a Linux kernel privilege escalation exploit chain but lacks actual exploit code. It references external links (Patreon, GitHub) for the exploit and patch, which is characteristic of suspicious repositories.

Classification
Suspicious 90%
Attack Type
Lpe
Complexity
Complex
Reliability
Theoretical
Target: Linux Kernel (various distributions)
No auth needed
Prerequisites: Local access to a vulnerable Linux system
mistral-large-3 · analyzed May 30, 2026 Full analysis →
github WORKING POC 359 stars
by Unclecheng-li · cpoc
https://github.com/Unclecheng-li/poc-lab/tree/main/CVE-2026-46300 Fragnesia

This repository contains a functional exploit for CVE-2026-46300, a Linux kernel local privilege escalation vulnerability. The exploit leverages page cache replacement via ESP-in-TCP/TCP coalesce to achieve byte-controlled pollution, allowing an attacker to modify the page cache of a read-only file (e.g., /usr/bin/su) to execute arbitrary code with elevated privileges.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (specific versions not specified, but requires unprivileged user namespace, XFRM, ESP-in-TCP, and AF_ALG support)
No auth needed
Prerequisites: unprivileged user namespace access · network namespace access · XFRM and ESP-in-TCP support in the kernel · AF_ALG ecb(aes) support · readable page cache of a target setuid binary
mistral-large-3 · analyzed May 25, 2026 Full analysis →
nomisec WORKING POC 3 stars
by 0xBlackash · poc
https://github.com/0xBlackash/CVE-2026-46300

The repository contains a functional local privilege escalation exploit for CVE-2026-46300, leveraging a logic flaw in the Linux kernel's socket buffer handling within the XFRM/ESP-in-TCP subsystem to achieve arbitrary byte writes in the kernel page cache.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux Kernel (XFRM/ESP-in-TCP subsystem)
No auth needed
Prerequisites: Unprivileged local access · Linux system with vulnerable kernel
mistral-large-3 · analyzed May 24, 2026 Full analysis →
nomisec WORKING POC 1 stars
by MadExploits · poc
https://github.com/MadExploits/CVE-2026-46300

This repository contains a functional local privilege escalation (LPE) exploit for CVE-2026-46300, targeting Linux kernel vulnerabilities in ESP/XFRM and RxRPC protocols. The exploit includes multiple implementations (Bash, Python, and C) to corrupt system binaries or configuration files, achieving root access.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux Kernel (specific versions not specified, but targets Ubuntu 25.10 in C code)
No auth needed
Prerequisites: Linux kernel with ESP/XFRM or RxRPC modules loaded · CAP_NET_RAW capability or root privileges for raw socket access · Specific kernel configuration (e.g., CONFIG_ESPINTCP)
mistral-large-3 · analyzed Jul 01, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Sentebale · poc
https://github.com/Sentebale/CVE-2026-46300

This PoC demonstrates a local privilege escalation (LPE) exploit leveraging Linux namespace isolation (CLONE_NEWUSER and CLONE_NEWNET) to gain root access. It uses unshare() to create new user and network namespaces, then spawns a shell with elevated privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel (likely versions with vulnerable namespace handling)
Auth required
Prerequisites: Local user access on a vulnerable Linux system · Python 3 environment
mistral-large-3 · analyzed May 24, 2026 Full analysis →
github WORKING POC
by SecureWithUmer · c++poc
https://github.com/SecureWithUmer/CVE-2026-PoCs/tree/main/2026/CVE-2026-46300

This exploit demonstrates a local privilege escalation (LPE) vulnerability in the Linux kernel's ESP-in-TCP handling (CVE-2026-46300). It abuses AES-GCM decryption in the `espintcp` TCP_ULP module to perform in-place XOR operations on page-cache pages, allowing arbitrary modification of `/usr/bin/su` to inject a root shell payload.

Classification
Working Poc 98%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Linux kernel (ESP-in-TCP/IPsec stack, specifically the `espintcp` ULP module)
Auth required
Prerequisites: Linux kernel with `espintcp` module loaded · Ability to create network namespaces · Read/write access to `/usr/bin/su` · CAP_NET_ADMIN capability (for XFRM SA setup)
mistral-large-3 · analyzed Jul 08, 2026 Full analysis →
github WRITEUP
by azilRababe · poc
https://github.com/azilRababe/CVE-2026-46300

This repository contains a detailed technical analysis of CVE-2026-46300 (Fragnesia), a Linux kernel local privilege escalation vulnerability. It explains the root cause, exploitation chain, and mitigation strategies, focusing on the SKBFL_SHARED_FRAG flag mishandling in skb_try_coalesce().

Classification
Writeup 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (versions affected by CVE-2026-46300)
No auth needed
Prerequisites: Local access to a vulnerable Linux system · Ability to execute splice() and setsockopt() calls · Presence of setuid binaries in the page cache
mistral-large-3 · analyzed Jun 22, 2026 Full analysis →
nomisec WRITEUP
by BenedictEjepu · poc
https://github.com/BenedictEjepu/CVE-2026-46300-Fragnesia---TryHackMe-Lab-Project

This repository documents the analysis of CVE-2026-46300, a Linux kernel page-cache corruption vulnerability that allows local privilege escalation by modifying cached file pages without altering the underlying disk files. The content appears to be a technical writeup based on a TryHackMe lab project.

Classification
Writeup 80%
Attack Type
Lpe
Complexity
Moderate
Reliability
Theoretical
Target: Linux kernel (version not specified)
Auth required
Prerequisites: Local access to the vulnerable system
mistral-large-3 · analyzed Jun 18, 2026 Full analysis →
github WORKING POC
by 1neptune · gopoc
https://github.com/1neptune/Fragnesia

This repository contains a functional Go-based exploit for CVE-2026-46300, leveraging a kernel page-cache write primitive via TCP_ULP espintcp to achieve local privilege escalation (LPE). The exploit builds a keystream table for AES-GCM decryption, flips bytes in the page cache of /usr/bin/su, and spawns a root shell via a PTY.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (specific versions on Ubuntu, RHEL, Rocky Linux, CentOS Stream, Oracle Linux, openEuler)
No auth needed
Prerequisites: Unprivileged user access · Specific kernel versions vulnerable to CVE-2026-46300
mistral-large-3 · analyzed Jun 03, 2026 Full analysis →
github WORKING POC
by AzDevops143 · cpoc
https://github.com/AzDevops143/FRAGNESIA-Charan-cve-2026-46300

This repository contains a functional exploit PoC for CVE-2026-46300, demonstrating a kernel memory corruption vulnerability via TCP_ULP setsockopt and namespace escape techniques. The exploit includes a Docker-based test environment to simulate both mitigated and unmitigated scenarios.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux Kernel (specific version not specified)
No auth needed
Prerequisites: Linux environment with Docker · Kernel with vulnerable TCP_ULP implementation
mistral-large-3 · analyzed Jun 02, 2026 Full analysis →
nomisec WORKING POC
by AzDevops143 · poc
https://github.com/AzDevops143/fragnesia-cve-2026-46300

This repository contains a functional simulation of CVE-2026-46300, a privilege escalation vulnerability in Cisco Secure Command Center. The exploit leverages a logical flaw in the espintcp module to corrupt file-backed page cache, leading to arbitrary code execution with root privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Theoretical
Target: Cisco Secure Command Center (Fragnesia)
No auth needed
Prerequisites: Unprivileged user access · Local socket creation permissions · Target binary (/usr/bin/su) present
mistral-large-3 · analyzed Jun 02, 2026 Full analysis →
gitlab WORKING POC
by Koshmare-Blossom · poc
https://gitlab.com/Koshmare-Blossom/Fragnesia-go

This repository contains a functional Go exploit for CVE-2026-46300, leveraging a Linux kernel vulnerability in the XFRM ESP-in-TCP subsystem to achieve local privilege escalation (LPE). The exploit uses a controlled single-byte write primitive via AES-GCM decryption in the page cache to overwrite /usr/bin/su with a root shell payload.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (unpatched, specific version not specified)
No auth needed
Prerequisites: unpatched Linux kernel with vulnerable XFRM ESP-in-TCP implementation · ability to execute binaries on the target system
mistral-large-3 · analyzed May 25, 2026 Full analysis →
nomisec WORKING POC
by Koshmare-Blossom · poc
https://github.com/Koshmare-Blossom/Fragnesia-go

This repository contains a functional Go-based exploit for CVE-2026-46300, leveraging a Linux kernel vulnerability in the XFRM ESP-in-TCP subsystem to achieve local privilege escalation (LPE). The exploit uses a controlled single-byte write primitive via AES-GCM decryption in-place on page-cache pages, allowing arbitrary code execution as root.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (unpatched, specific version not specified)
No auth needed
Prerequisites: Unpatched Linux kernel with vulnerable XFRM ESP-in-TCP implementation · Local user access · Readable target file (e.g., /usr/bin/su)
mistral-large-3 · analyzed May 24, 2026 Full analysis →
nomisec WORKING POC
by First-John · poc
https://github.com/First-John/cve_2026_frag_family_fix

This repository contains a Go-based tool that mitigates CVE-2026-43500 and CVE-2026-43284 by disabling vulnerable kernel modules (esp4, esp6, rxrpc) and applying kernel updates. It includes functionality to detect vulnerable modules, apply hotfixes, and clean up artifacts post-update.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Linux kernel (specific versions vulnerable to CVE-2026-43500 and CVE-2026-43284)
Auth required
Prerequisites: root access · vulnerable kernel modules loaded
mistral-large-3 · analyzed May 24, 2026 Full analysis →
nomisec WRITEUP
by Maxime288 · poc
https://github.com/Maxime288/Fragnesia-CVE-2026-46300

This repository provides a detailed technical analysis of CVE-2026-46300, a local privilege escalation vulnerability in the Linux kernel's XFRM ESP-in-TCP subsystem. It includes root cause analysis, patch information, and remediation steps but does not contain exploit code.

Classification
Writeup 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Linux Kernel (versions before May 13, 2026)
No auth needed
Prerequisites: Access to a vulnerable Linux system · User namespace capabilities
mistral-large-3 · analyzed May 24, 2026 Full analysis →
nomisec SUSPICIOUS
by ExploitEoom · poc
https://github.com/ExploitEoom/CVE-2026-46300

The repository contains no actual exploit code, only a README with instructions to clone and run a non-existent 'exploit' file. This is a social engineering lure designed to trick users into downloading external content.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: Linux kernel
No auth needed
Prerequisites: none
mistral-large-3 · analyzed May 24, 2026 Full analysis →
nomisec WORKING POC
by HORKimhab · poc
https://github.com/HORKimhab/CVE-2026-46300

This repository contains a functional local privilege escalation (LPE) exploit for CVE-2026-46300, targeting a logic bug in the Linux XFRM ESP-in-TCP subsystem. The exploit achieves arbitrary byte writes into the kernel page cache of read-only files by manipulating the ESP-in-TCP ULP mode transition and AES-GCM keystream bytes.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Linux kernel (versions before May 13, 2026)
No auth needed
Prerequisites: Unprivileged user namespace access (may require AppArmor adjustment on Ubuntu) · Readable target file in /tmp or /var/tmp
mistral-large-3 · analyzed May 24, 2026 Full analysis →

References (55)

Core 55
Core References

Scores

CVSS v3 7.8
EPSS 0.0366
EPSS Percentile 88.3%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-123 CWE-787
Status published
Products (35)
linux/Kernel 3.9.0 - 5.10.257linux
linux/Kernel 5.11.0 - 5.15.208linux
linux/Kernel 5.16.0 - 6.1.174linux
linux/Kernel 6.13.0 - 6.18.33linux
linux/Kernel 6.19.0 - 7.0.10linux
linux/Kernel 6.2.0 - 6.6.141linux
linux/Kernel 6.7.0 - 6.12.91linux
Linux/Linux < 3.9
Linux/Linux 3.9
Linux/Linux 5.10.257 - 5.10.*
... and 25 more
Published May 23, 2026
Tracked Since May 23, 2026