Fragnesia Linux Kernel Vulnerability Leads to Root Privilege Escalation

A critical vulnerability in the Linux kernel, identified as Fragnesia, allows attackers to achieve local privilege escalation (LPE) and gain full root access to affected systems. The flaw involves a mechanism that enables the corruption of the kernel’s page cache, which is the area of memory used to store recently accessed data from the disk to improve system performance.

Security researchers at Wiz.io discovered the vulnerability, which they have linked to a specific interaction involving ESP-in-TCP. By exploiting this flaw, a user with limited permissions on a system can manipulate the kernel’s memory management to overwrite critical data, effectively bypassing security boundaries to obtain the highest level of administrative authority.

The vulnerability has been referred to by different names across the security community, including Dirty Frag and Copy Fail. Because it is a local privilege escalation flaw, an attacker must already have some form of access to the target machine—such as through a compromised low-privileged account or a separate remote code execution vulnerability—before they can deploy the Fragnesia exploit.

Microsoft has issued warnings regarding the active exploitation of this vulnerability, noting that the Dirty Frag flaw significantly expands the risk associated with post-compromise activities. According to Microsoft, attackers are using the vulnerability to move laterally through networks and deepen their control over infected infrastructure after an initial breach has occurred.

The technical core of the issue lies in how the Linux kernel handles page cache corruption. When the kernel fails to properly validate or protect specific memory pages during certain operations, an attacker can induce a state where the kernel writes data to a location it should not, or reads modified data as if it were trusted. This corruption allows the attacker to overwrite the credentials of their current process, elevating it to root status.

Cloudflare has detailed its response to the vulnerability, which it identified internally as Copy Fail. The company’s engineering teams worked to mitigate the risk across its global edge network, focusing on updating kernel versions and implementing safeguards to prevent the specific memory corruption patterns used by the exploit.

The impact of Fragnesia is particularly acute for cloud environments and multi-tenant servers where multiple users or containers share the same underlying Linux kernel. In these scenarios, a breach of a single isolated container could potentially lead to a full host takeover if the kernel is not patched against the LPE flaw.

To defend against this threat, administrators are urged to update their Linux kernels to the latest stable versions provided by their respective distributions. Most major Linux distributions have released patches that address the page cache corruption issue by improving the validation of memory operations and closing the gap that allowed the ESP-in-TCP manipulation.

Security professionals recommend a defense-in-depth approach to mitigate the risk of local privilege escalation. This includes implementing the principle of least privilege to limit the initial access available to users and utilizing kernel hardening tools that can detect or block unauthorized attempts to modify sensitive kernel memory structures.

As of May 14, 2026, the vulnerability remains a priority for system administrators due to the availability of proof-of-concept code and the confirmation of active attacks in the wild. The transition from a low-privileged user to a root user represents a total loss of system integrity, making the rapid deployment of kernel updates critical for maintaining security.