A local privilege escalation (LPE) vulnerability affecting the Linux kernel has been publicly disclosed on May 13, 2026. The vulnerability has been assigned the CVE ID CVE-2026-46300 and is referred to as “Fragnesia.”  The vulnerability affects multiple Linux distributions, including all Ubuntu releases. The affected components are the Linux kernel modules that provide support for ESP (Encapsulating Security Protocol), one of the protocols used for IPsec (Internet Protocol Security). These are the same Linux kernel modules that were affected by one of the Dirty Frag vulnerabilities. As such, the mitigations described in the Dirty Frag vulnerability update provide protection against Fragnesia as well, since they disable the impacted Linux kernel modules.

The vulnerability has been assigned a CVSS 3.1 score of 7.8, corresponding to a severity of HIGH, by NVD. Canonical’s assessment prior to the CVSS score assignment was identical.

Linux kernel package updates are available that fix these vulnerabilities. This blog had been published on the day the vulnerability was publicly disclosed, describing mitigations that disable the affected components. The mitigations are no longer necessary if the Linux kernel updates are applied.

Impact

Deployments without container workloads

On hosts that do not run container workloads, the vulnerability allows a local user to elevate privileges to the root user. The published exploit executes in this type of deployment.

Container deployments

In container deployments that may execute arbitrary third-party workloads, the vulnerability may additionally facilitate container escape scenarios, in addition to local privilege escalation on the host. A proof-of-concept exploit has not been published yet for container escape.

Mitigation regression risk

Update: Linux kernel package updates that fix these vulnerabilities are available and mitigations described here are no longer needed. We recommend that you install the Linux kernel update and only apply the mitigations if that is not possible.

The mitigation disables the kernel modules that are used for IPsec ESP. Enabling the mitigation will affect functionality if the modules are in use by IPsec deployments. These are common with VPN implementations such as StrongSwan.

Affected releases

The vulnerability fix is distributed through the Linux kernel image packages. Before the updates were available, this blog post described a mitigation which disables the affected modules in the instructions below. The mitigation is no longer necessary if the kernel updates are applied.

Please note that if you have previously applied the mitigations described for Dirty Frag, your system is not affected by Fragnesia. Additionally, the same security update addresses both Dirty Frag and Fragnesia.

How to check if you are impacted

On your system, run the following command to get the version of the currently running kernel and compare the listed version to the corresponding table above.

uname -r

The list of installed kernel packages can be obtained using the following command:

dpkg -l 'linux-image*' | grep ^ii

Security updates

We recommend you upgrade all packages:

sudo apt update && sudo apt upgrade

If this is not possible and the Linux kernel is installed via a meta package, its update can be targeted directly:

sudo apt update
dpkg-query -W -f '${source:Package}\t${binary:Package}\n' | awk '$1 ~ "^linux-meta" { print $2 }' | xargs sudo apt install --only-upgrade

Once the security updates for the Linux kernel are installed, a reboot is required:

sudo reboot

The unattended-upgrades feature is enabled by default for Ubuntu 16.04 LTS onwards. This service:  

• Applies new security updates every 24 hours automatically.
• If you have this enabled, the patches above will be automatically applied within 24 hours of being available, but a reboot is still required.

Manual mitigation

Update: Linux kernel security updates that fix the vulnerability are now available. The mitigations described in this section are no longer needed and should only be applied if the Linux kernel cannot be updated. If you have previously configured the mitigations, please follow the instructions in the ‘Disabling the mitigation’ section below.

The mitigations block the affected kernel modules from loading. This requires three steps:

1. Prevent the modules from loading in the future.
2. Unload the modules.
3. Check whether step 2 was successful; if not, reboot the system.

The same modules are blocked by the Dirty Frag mitigations. Applying both mitigations does not cause any issues, but is unnecessary. However, we recommend that you maintain the mitigations until Linux kernel security updates that address both vulnerabilities are available and installed.

Step 1 – block the modules:

Block the modules by creating a /etc/modprobe.d/fragnesia.conf file:

echo "install esp4 /bin/false" | sudo tee /etc/modprobe.d/fragnesia.conf
echo "install esp6 /bin/false" | sudo tee -a /etc/modprobe.d/fragnesia.conf

Regenerate the initramfs images, to prevent the modules from being loaded during early boot:

sudo update-initramfs -u -k all

Step 2 – unload modules:

Unload the modules, in case they are already loaded:

sudo rmmod esp4 esp6 2>/dev/null 

Step 3 – confirm the modules aren’t loaded:

Check whether the modules are still loaded:

grep -qE '^(esp4|esp6) ' /proc/modules && echo "Affected modules are loaded" || echo "Affected modules are NOT loaded"

If the previous action indicates that the modules are not loaded, no further action is required. However, unloading the modules may not be possible if they are in use by applications. In these instances, a system reboot will enforce their blocking, but will affect applications:

sudo reboot

Disabling the mitigation

Once kernel updates are installed, the mitigation can be removed:

sudo rm /etc/modprobe.d/fragnesia.conf
sudo update-initramfs -u -k all

Please note that in order to restore IPsec availability, ESP modules must be permitted to be loaded. This means that the mitigations for Fragnesia described here as well as the mitigations for Dirty Frag will need to be removed to restore IPsec availability.