Submit finding

All findings

CVE-2026-46300 high

Fragnesia: V12-assisted Linux kernel page-cache LPE CVE-2026-46300

V12's public PoC and write-up say Fragnesia, CVE-2026-46300, was discovered with V12 by William Bowling and the V12 team; distro trackers and kernel patch mail corroborate the Linux XFRM ESP-in-TCP local-root vulnerability.

Bug class
Shared page-fragment marker loss leading to page-cache corruption and local privilege escalation
Affected codebase
Linux kernel XFRM ESP-in-TCP / skbuff
Credited system
V12
Disclosed
May 13, 2026
Attribution
Direct source attribution
Severity
high
Source status: V12's public Fragnesia PoC/write-up supplies the AI-system attribution, saying the exploit was discovered with V12 by William Bowling and the V12 team. Ubuntu, Debian, AlmaLinux, and the netdev patch corroborate CVE-2026-46300, Linux-kernel impact, the root-cause area, and patch status.

Summary

Fragnesia, CVE-2026-46300, is a Linux kernel local privilege escalation in the XFRM ESP-in-TCP attack surface. The vulnerable path lets an unprivileged local attacker turn page-cache-backed file data into ESP ciphertext and then trigger in-place decryption over the same cached file page.

V12’s public write-up describes a deterministic primitive that can write attacker-chosen bytes into the page cache of read-only files without modifying the on-disk file. Its proof of concept targets /usr/bin/su, injects a small stub into the cached copy, and then executes su to obtain a root shell.

Ubuntu tracks CVE-2026-46300 as a high-priority kernel issue and describes it as a trivial local privilege escalation. Debian tracks the same CVE and links the V12 PoC and the upstream patch mail. AlmaLinux says supported AlmaLinux releases are affected and has released patched kernels.

Attribution

This entry is direct under Bugflation’s methodology. The primary research artifact from V12 says Fragnesia was discovered with V12 by William Bowling and the V12 team. V12’s own product page describes the system as agentic security that autonomously finds and exploits critical vulnerabilities.

The kernel and distribution sources corroborate the vulnerability, affected surface, and patch trail. They do not independently measure the exact split between V12 automation and human research work, so this entry should be read as AI-assisted discovery with direct first-party attribution.

Root cause

The upstream patch explains that skb_try_coalesce() can transfer paged fragments from one socket buffer to another while losing the SKBFL_SHARED_FRAG marker. That marker matters because later in-place writers, including ESP input, use it to decide whether they can safely avoid copying.

If the marker is lost, ESP can treat page-cache-backed fragments as safe for in-place decryption. Fragnesia turns that into a chosen-byte page-cache write primitive.

Why it matters

Fragnesia is the third high-profile Linux page-cache local-root story in a short window after CopyFail and Dirty Frag. It matters for Bugflation because it shows the same pattern repeating in a mature kernel subsystem: a subtle cross-path state invariant becomes exploitable, a public PoC arrives quickly, and the defender workload shifts immediately to kernel patching, module mitigation, and cache cleanup.

The entry also expands the public AI-attributed Linux-kernel record beyond Xint and BynarIO. V12 is now tied to a CVE-backed, distro-tracked Linux kernel LPE with a public patch and exploit narrative.

References

Catalogued in the Bugflation public ledger. Disagree with the attribution or severity label? Email the desk.