Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <8733zvfucm.fsf@gentoo.org>
Date: Wed, 13 May 2026 11:59:37 +0100
From: Sam James <sam@...too.org>
To: oss-security@...ts.openwall.com
Subject: Linux kernel LPE ("fragnesia", copyfail 3.0)

v12-security have disclosed "Fragnesia" [0]. Quoting their disclosure:
> Fragnesia is a universal Linux local privilege escalation exploit,
> discovered by William Bowling with the V12 team. Fragnesia is a member
> of the Dirty Frag vulnerability class. This is a separate bug in the
> ESP/XFRM from dirtyfrag which has received its own patch. However, it
> is in the same surface and the mitigation is the same as for dirtyfrag.
>
> It abuses a logic bug in the Linux XFRM ESP-in-TCP subsystem to
> achieve arbitrary byte writes into the kernel page cache of read-only
> files, without requiring any race condition.

> The technique extends the page-cache write bug class that includes
> Dirty Pipe: when a TCP socket transitions to espintcp ULP mode after
> data has already been spliced from a file into the receive queue, the
> kernel processes the queued file pages as ESP ciphertext. The AES-GCM
> keystream byte at counter block position 2, byte 0 is XORed directly
> into the cached file page. By selecting the IV nonce to produce a
> desired keystream byte, any target byte in the file can be set to any
> value — one byte per trigger invocation.
>
> The exploit builds a 256-entry lookup table mapping each possible
> keystream byte to its corresponding nonce, then iterates over a
> payload, firing the splice/ULP race for each byte that needs changing.
> It writes a small position-independent ELF stub
> (setresuid/setresgid/execve /bin/sh) over the first 192 bytes of
> /usr/bin/su in the page cache, then calls execve("/usr/bin/su") to
> obtain a root shell. The page cache modification is not backed to
> disk; the on-disk binary is untouched.

page cache part being copyfail again [0], but the actual bug is more
like dirtyfrag [2]. They've also provided a PoC [3] (attached).

There's a patch on netdev [4], not yet in that tree or in Linus's tree,
therefore not in any stable kernels either.

[0] https://github.com/v12-security/pocs/tree/main/fragnesia
[1] https://www.openwall.com/lists/oss-security/2026/04/29/23 (CVE-2026-31431)
[2] https://www.openwall.com/lists/oss-security/2026/05/07/8 (CVE-2026-43284, CVE-2026-43500)
[3] https://github.com/v12-security/pocs/blob/d4043edc2acbd75d093e3f5795751b678c66b259/fragnesia/fragnesia.c
[4] https://lore.kernel.org/netdev/20260513041635.1289541-1-vakzz@zellic.io/


View attachment "fragnesia.c" of type "text/plain" (34850 bytes)

View attachment "0001-net-skbuff-preserve-shared-frag-marker-during-coales.patch" of type "text/x-patch" (1858 bytes)


thanks,
sam


Download attachment "signature.asc" of type "application/pgp-signature" (419 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.