Skip to content

Fragnesia Mitigation (CVE-2026-46300)

Warning

Vendor patches are not widely available, please apply the mitigation to vulnerable hosts.

References and Further Reading

General Information & Exploit Details

Vendor Specific Information

Vendor Status Resource
AlmaLinux 🟡 Patches available in testing Fragnesia (CVE-2026-46300): Patched kernels available in testing
Red Hat ⚠️ Vulnerable CVE-2026-46300
Ubuntu ⚠️ Vulnerable CVE-2026-46300 Security Advisory
Debian ⚠️ Vulnerable Security Tracker CVE-2026-46300
SUSE ⚠️ Vulnerable Security Vulnerability CVE-2026-46300

Vulnerability Testing

Run this command to test if your system is currently vulnerable to the exploit:

unshare -Urn -- ip xfrm state add \
  src 10.0.0.1 dst 10.0.0.2 \
  proto esp spi 0x00000001 \
  mode transport \
  enc 'cbc(aes)' 0x00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff \
  auth 'hmac(sha1)' 0x00112233445566778899aabbccddeeff00112233

If the output is empty - the system is vulnerable.

If the output is an error message - the system is safe.

Fix for all Linux distributions

Blacklisting and removing vulnerable modules (same mitigation as Dirty Frag)

Danger

  • Blacklisting esp4 and esp6 will cause all IPsec-based VPNs and encrypted tunnels to stop working.

    • This breakage only applies to the temporary mitigation (the module blacklisting workaround).

    • Once a fix has been released by your Linux distribution, install it. You can then safely remove the module blacklisting.

  • The rmmod command will fail if IPsec is currently active or if the modules are being used by another process. If rmmod fails, a reboot is required after creating the blacklist file to ensure the modules are not loaded.

  • Red Hat Customer Portal suggests a mitigation that should not impact IPsec Method.

  1. Run: 

    sudo sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"

  2. This creates a file /etc/modprobe.d/dirtyfrag.conf with the following contents: 

    install esp4 /bin/false
install esp6 /bin/false
install rxrpc /bin/false

  3. Test with the provided command.