Home Linux SecurityFragnesia: The “Copy Fail 3.0” Exploit Granting 100% Linux Root
Linux SecurityCybersecurityLinuxLinux KernelSecurity

Fragnesia: The “Copy Fail 3.0” Exploit Granting 100% Linux Root

By sk
Written by sk 378 views 6 mins read

Quick Summary

  • Fragnesia (also called Copy Fail 3.0) is a universal Linux local privilege escalation exploit that allows an unprivileged user to gain root access with 100% reliability.
  • It exploits a logic bug in the XFRM ESP-in-TCP subsystem where the kernel "forgets" that a memory fragment is shared during a process called coalescing.
  • By manipulating this flaw, an attacker can write arbitrary bytes into the page cache of read-only files, like /etc/passwd or /usr/bin/su, to bypass security checks and drop into a root shell.

Fragnesia: The Memory Hole that Grants Root Access on Linux

Security researchers just uncovered a new way to take over Linux systems. It’s called Fragnesia. This exploit is the latest member of the Dirty Frag vulnerability family.

Discovered by William Bowling and the V12 team, Fragnesia allows an unprivileged user to gain root privileges with 100% reliability.

Unlike many exploits that rely on luck or timing, Fragnesia is a deterministic logic bug. This means it works every single time, making it a "nightmare" for system administrators.

Why the Name Fragnesia?

The name is a play on "fragment" and "amnesia." As the researchers explain, the core bug happens because a network buffer (called an skb) "forgets" that a piece of memory is shared during a process called coalescing.

When the Linux kernel tries to save time by merging network packets, it loses a critical security marker called SKBFL_SHARED_FRAG. Without this marker, the kernel thinks the memory is private and safe to modify. In reality, that memory is still connected to a sensitive file in the page cache.

From Dirty Pipe to Fragnesia

Fragnesia is being called "Copy Fail 3.0" because it refines a class of bugs that started with Dirty Pipe. These vulnerabilities all share a common goal: writing data into read-only files in the system's memory (RAM).

As noted in the technical write-up, Fragnesia specifically targets the ESP-in-TCP subsystem. By tricking the kernel into performing in-place decryption on shared memory, an attacker can "flip" bytes in files they should only be able to read, such as /etc/passwd or /usr/bin/su.

How the Exploit Works

The exploit uses a clever trick involving AES-GCM encryption. Here is the step-by-step process of how it takes over a system:

  • Setting the Table: The attacker builds a lookup table of "keystream bytes" by varying a value called a nonce.
  • The Splice Trigger: The exploit uses the splice() system call to plant a read-only file page directly into a network socket.
  • The Memory XOR: By selecting the perfect nonce, the attacker forces the kernel to XOR a specific byte directly into the cached file page.
  • Building the Shell: This process repeats byte-by-byte until the attacker has written a small root shell stub over the first 192 bytes of the /usr/bin/su binary in memory.

Once the "dirty" binary is ready in the cache, the attacker simply runs su. The kernel executes the modified version, bypasses all security checks, and drops the user into a root shell.

A Surprising Detail about Fragnesia

As stated in the previous section, the Fragnesia exploit is designed to be completely deterministic by using a "keystream lookup table" built via the AES-GCM counter block.

By testing 65,536 nonces in advance, the attacker creates a map of every possible byte value that the kernel's decryption process will XOR into the target file.

This allows them to "flip" any byte in a file to a specific desired value, one byte at a time, without ever needing to win a race condition.

Affected Linux Distributions by Fragnesia

If you use Linux, you are likely in scope. The researchers confirmed that all versions affected by the original Dirty Frag are also vulnerable to Fragnesia. This includes any kernel that hasn't applied the specific coalescing fix released on May 13, 2026.

Major distributions like Ubuntu are confirmed targets. But, Ubuntu users have a slight advantage because AppArmor restricts the unprivileged namespaces needed for part of the exploit by default.

How to Mitigate Fragnesia Vulnerability

The best defense is to update your kernel to a version that includes the May 13th patch.

If you can't patch yet, you should apply a temporary mitigation by disabling the vulnerable networking modules.

As recommended in the oss-security post, you can block the exploit by running these commands to blacklist the esp and rxrpc modules:

rmmod esp4 esp6 rxrpc
printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf

Perform Fragnesia Test Exploit

Prerequisites for Testing:

  • Target System: The system must be running an affected kernel version without the coalescing patch.
  • Ubuntu Note: Because Ubuntu restricts unprivileged user namespaces by default, you must first enable them by running: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0.
  • Target File: The exploit targets /usr/bin/su by default to obtain a root shell.

Execution Steps

Step 1: Clone the Repository:

Download the proof-of-concept code from GitHub:

git clone https://github.com/v12-security/pocs.git

Step 2: Navigate to the Directory:

cd pocs/fragnesia

Step 3: Compile the Exploit:

Use GCC to build the executable:

gcc -o exp fragnesia.c

Step 4: Run the Exploit:

Execute the compiled binary:

./exp

Here's How the Exploit Functions:

  • Namespace Setup: The binary calls unshare(CLONE_NEWUSER | CLONE_NEWNET) to gain CAP_NET_ADMIN privileges within a sandbox.
  • Keystream Generation: It builds a 256-entry lookup table mapping AES-GCM keystream bytes to specific nonces.
  • Triggering the Write: The exploit uses a "Splice-then-ULP" trigger where it splices data from the target file into a TCP stream and then delays the installation of the ESP-in-TCP protocol.
  • The Logic Bug: When the protocol is enabled, the kernel "forgets" that the fragments are shared with the page cache during coalescing. It then incorrectly performs in-place decryption, XORing the keystream directly into the cached file page.
  • Payload Injection: This process iterates byte-by-byte to overwrite the first 192 bytes of /usr/bin/su in memory with a root-shell stub.

Critical Post-Exploit Cleanup

After running a test exploit, your page cache is contaminated. Any further use of the corrupted files could lead to instability. You must reboot your system or manually clear the cache by running echo 1 | tee /proc/sys/vm/drop_caches to ensure you are safe.

Related Read:

Senthilkumar Palani (aka SK) is the Founder and Editor in chief of OSTechNix. He is a Linux/Unix enthusiast and FOSS supporter. He lives in Tamilnadu, India.

You May Also Like

Pacman 7.0.0 Will Now Download Packages as a...

How To Easily Configure Flatpak Apps Permissions With...

How To Add, Delete, And Grant Sudo Privileges...

How To Lock Virtual Console Sessions On Linux

OpenSUSE Aeon Desktop Enhances Security With Full Disk...

Linus Torvalds Just Patched a 6-Year Old Major...

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

* By using this form you agree with the storage and handling of your data by this website.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. By using this site, we will assume that you're OK with it. Accept Read More