{ "threat_severity" : "Important", "public_date" : "2026-05-13T12:00:00Z", "bugzilla" : { "description" : "kernel: \"Fragnesia\" is a variant of Dirty Frag vulnerability in the ESP/XFRM leading to Local Privilege Escalation (LPE) vulnerability in the Linux kernel", "id" : "2477015", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2477015" }, "cvss3" : { "cvss3_base_score" : "7.8", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-123", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet: skbuff: preserve shared-frag marker during coalescing\nskb_try_coalesce() can attach paged frags from @from to @to. If @from\nhas SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same\nexternally-owned or page-cache-backed frags, but the shared-frag marker\nis currently lost.\nThat breaks the invariant relied on by later in-place writers. In\nparticular, ESP input checks skb_has_shared_frag() before deciding\nwhether an uncloned nonlinear skb can skip skb_cow_data(). If TCP\nreceive coalescing has moved shared frags into an unmarked skb, ESP can\nsee skb_has_shared_frag() as false and decrypt in place over page-cache\nbacked frags.\nPropagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged\nfrags. The tailroom copy path does not need the marker because it copies\nbytes into @to's linear data rather than transferring frag descriptors.", "A flaw was found in the Linux kernel's XFRM ESP-in-TCP subsystem. Unsafe in-place cryptographic processing allows a low-privileged local attacker to write arbitrary bytes into the page cache of read-only files, including sensitive system files. An attacker can exploit this to overwrite privileged binaries and gain root privileges." ], "statement" : "This issue is classified as Important, rather than Critical severity, because exploitation requires local access to the system. A low-privileged local attacker can exploit this flaw in the Linux kernel's XFRM ESP-in-TCP subsystem to gain root privileges by overwriting sensitive system files. Exploitation does not require user interaction, potentially resulting in full compromise of confidentiality, integrity, and availability.", "affected_release" : [ { "product_name" : "NVIDIA for RHEL 10", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:19540", "cpe" : "cpe:/a:redhat:enterprise_linux_nvidia:10::el10", "package" : "kernel-0:6.12.0-211.8.el10nv" }, { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:19569", "cpe" : "cpe:/o:redhat:enterprise_linux:10.2", "package" : "kernel-0:6.12.0-211.16.1.el10_2" }, { "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support", "release_date" : "2026-05-21T00:00:00Z", "advisory" : "RHSA-2026:20299", "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0", "package" : "kernel-0:6.12.0-55.75.1.el10_0" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:19664", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.125.1.rt7.466.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:19666", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.125.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2026-05-21T00:00:00Z", "advisory" : "RHSA-2026:20130", "cpe" : "cpe:/o:redhat:rhel_aus:8.4", "package" : "kernel-0:4.18.0-305.192.1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On", "release_date" : "2026-05-21T00:00:00Z", "advisory" : "RHSA-2026:20130", "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4", "package" : "kernel-0:4.18.0-305.192.1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2026-05-21T00:00:00Z", "advisory" : "RHSA-2026:20051", "cpe" : "cpe:/o:redhat:rhel_aus:8.6", "package" : "kernel-0:4.18.0-372.193.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2026-05-21T00:00:00Z", "advisory" : "RHSA-2026:20051", "cpe" : "cpe:/o:redhat:rhel_tus:8.6", "package" : "kernel-0:4.18.0-372.193.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2026-05-21T00:00:00Z", "advisory" : "RHSA-2026:20051", "cpe" : "cpe:/o:redhat:rhel_e4s:8.6", "package" : "kernel-0:4.18.0-372.193.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:19521", "cpe" : "cpe:/o:redhat:rhel_tus:8.8", "package" : "kernel-0:4.18.0-477.143.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:19521", "cpe" : "cpe:/o:redhat:rhel_e4s:8.8", "package" : "kernel-0:4.18.0-477.143.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:19568", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-687.10.1.el9_8" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:19568", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-687.10.1.el9_8" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:19705", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "kernel-0:5.14.0-70.180.1.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:19711", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv", "package" : "kernel-rt-0:5.14.0-70.180.1.rt21.252.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2026-05-26T00:00:00Z", "advisory" : "RHSA-2026:20593", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "kernel-0:5.14.0-284.172.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:19875", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv", "package" : "kernel-rt-0:5.14.0-284.172.1.rt14.457.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2026-05-21T00:00:00Z", "advisory" : "RHSA-2026:20054", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "kernel-0:5.14.0-427.126.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support", "release_date" : "2026-05-21T00:00:00Z", "advisory" : "RHSA-2026:20129", "cpe" : "cpe:/a:redhat:rhel_eus:9.6", "package" : "kernel-0:5.14.0-570.116.1.el9_6" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "rhcos", "cpe" : "cpe:/a:redhat:openshift:4" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-46300\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-46300" ], "csaw" : true, "name" : "CVE-2026-46300", "mitigation" : { "value" : "See the security bulletin for a detailed mitigation procedure.", "lang" : "en:us" } }