## https://sploitus.com/exploit?id=D5588CEA-83BF-505C-8991-C753DAC80AF4
# Fragnesia (CVE-2026-46300) - Defensive Study Toolkit
A self-contained, Dockerized study project for the Linux kernel local
privilege-escalation vulnerability **Fragnesia (CVE-2026-46300)** in the XFRM
ESP-in-TCP subsystem. It is built for coursework and portfolio use: it explains
the vulnerability, ships a host **exposure scanner and mitigation advisor**, an
interactive dashboard, and a full written report and slide deck.
[](.github/workflows/ci.yml)


## Scope and ethics
This repository is **defensive and educational**. It contains:
- a root-cause and impact analysis at the level published in vendor advisories;
- a detector that checks whether a host is likely exposed; and
- mitigation guidance.
It deliberately **does not** contain a working exploit, proof-of-concept, or any
weaponized code. A kernel privilege-escalation exploit is exactly the kind of
artifact that can be lifted out of a container and used against a real host, so
this project focuses on understanding and defending against the flaw. Use it
only on systems you own or are authorized to assess.
## The vulnerability in one paragraph
Fragnesia is a high-severity (CVSS v3.1 7.8) local privilege escalation in the
Linux kernel, disclosed on 2026-05-13 by William Bowling of the V12 Security
team, and a member of the same "Dirty Frag" class as CVE-2026-43284 and
CVE-2026-43500. The root cause is that `skb_try_coalesce()` failed to propagate
the `SKBFL_SHARED_FRAG` marker when moving paged fragments between socket
buffers, so the kernel could lose track of externally backed (page-cache)
fragments. The ESP-in-TCP receive path would then perform in-place AES-GCM
decryption directly over those page-cache pages, giving an unprivileged local
user a deterministic write into the page cache of a readable file - with no race
condition required - which can be used to corrupt a privileged binary and obtain
root.
## What is in this repository
| Path | Purpose |
|------|---------|
| `scanner/scan.py` | Host exposure scanner and mitigation advisor (stdlib only) |
| `scanner/advisory.json` | Single source of truth: CVSS, root cause, fixed versions, mitigations, references |
| `docker/Dockerfile` | Minimal, non-root, dependency-free image |
| `docker/docker-compose.yml` | `scanner` and `dashboard` services |
| `docker/entrypoint.sh` | Dispatch for `scan` / `report` / `serve` / `test` |
| `docs/index.html` | Interactive single-file dashboard |
| `docs/report.docx`, `docs/report.pdf` | Full written report |
| `docs/presentation.pptx` | Slide deck |
| `tests/test_scan.py` | Unit tests (no network, no dependencies) |
| `.github/workflows/ci.yml` | CI: tests on Python 3.8-3.12 plus a Docker build |
## Quick start
### Run locally (Python 3.8+, no dependencies)
```bash
python3 scanner/scan.py # human-readable exposure report
python3 scanner/scan.py --json # machine-readable JSON
python3 -m unittest discover -s tests -v
```
### Run with Docker
```bash
# Build the image
docker build -f docker/Dockerfile -t fragnesia-cve-2026-46300 .
# Scan the host kernel (text, then JSON)
docker run --rm fragnesia-cve-2026-46300
docker run --rm fragnesia-cve-2026-46300 report
# Serve the interactive dashboard at http://localhost:8080
docker run --rm -p 8080:8080 fragnesia-cve-2026-46300 serve
```
### Run with docker compose
```bash
docker compose -f docker/docker-compose.yml run --rm scanner
docker compose -f docker/docker-compose.yml up dashboard
```
## How the scanner reaches its verdict
Containers share the host kernel, so the kernel version the scanner reports is
the **host's** even when it runs inside the image. The verdict is one of:
- `AFFECTED` - the running kernel is below the published fixed build for a
recognised distribution;
- `LIKELY_PATCHED` - the running kernel meets or exceeds that fixed build;
- `UNKNOWN` - no matching advisory entry, so the vendor advisory must be checked
manually. **Treat `UNKNOWN` as a prompt to investigate, not as "safe".**
Alongside the version check, the tool reports surrounding risk signals: loadable
ESP/XFRM modules, unprivileged user namespaces, and any livepatch agent that may
remediate without a version bump. Exit codes (`0` patched, `1` unknown,
`2` affected) make the tool usable as a CI gate.
The bundled fixed-version dataset is a sample drawn from public vendor
advisories at disclosure time; your own distribution's advisory is always the
authoritative source.
## Mitigation summary
1. **Primary:** apply the vendor kernel update and reboot, or apply a validated
livepatch. This is the only complete fix.
2. **Defense-in-depth:** if IPsec/ESP is unused, block autoload of the affected
modules; restrict unprivileged user namespaces where workloads allow.
3. **Compensating:** keep host EDR / runtime protection current.
## References
See `scanner/advisory.json` for the full, linked reference list, including the
NVD and MITRE records, the Tenable FAQ, and the AlmaLinux and CloudLinux
advisories.
## Regenerating the documents
The report and slide deck under `docs/` are generated artifacts. The generator
scripts live in `tools/` (Node.js, using `docx` and `pptxgenjs`):
```bash
npm install -g docx pptxgenjs react-icons react react-dom sharp
node tools/build_report.js # writes docs/report.docx
node tools/build_deck.js # writes docs/presentation.pptx
```
## License
MIT - see `LICENSE`.