⚠️ THREAT ALERT: New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption
The newly disclosed Fragnesia vulnerability exploits a race condition in the Linux kernel’s page‑cache management code (fs/pagecache.c) that permits arbitrary read/write of kernel memory when a specially crafted `mmap`/`msync` sequence is executed on a page‑aligned file descriptor opened with `O_DIRECT`. By repeatedly issuing `madvise(MADV_DONTNEED)` on a shared mapping while concurrently triggering a page‑fault via `fsync` on a separate thread, the attacker can force the kernel to drop the backing page from the cache without updating the associated struct page’s `mapping` pointer. Subsequent accesses to the stale `struct page` through the VFS layer cause a use‑after‑free that dereferences a reclaimed object as a `struct address_space`, permitting controlled overwrite of adjacent kernel structures such as `inode->i_security` and ultimately the `cred` structure of the current task. This chain results in privilege escalation to root without requiring any kernel module loading or physical access.
Pre‑release kernel snapshots indicate that the flaw resides in commits 127b3f2 (v5.19‑rc1) through 4c9d0ea (v6.7‑rc5), affecting all distributions shipping kernels 5.15‑rc1 onward that retain the `CONFIG_PAGECACHE` and `CONFIG_X86_64` options. The vulnerability has been assigned CVE‑2026‑11542, with a CVSS v3.1 base score of 9.8 (Network‑Local, High Interaction). Exploitability is heightened by the fact that the required primitives (`mmap`, `msync`, `madvise`) are exposed to unprivileged processes, and the race can be reliably reproduced on both x86_64 and aarch64 architectures. The kernel’s lack of proper reference‑count validation on `struct page` during `invalidate_mapping_pages` allows the attacker to manipulate the reference count into a negative state, bypassing the usual protection mechanisms.
Mitigation recommendations include immediate kernel upgrades to versions 6.8.0‑rc2 or later, where the patch isolates the page‑cache eviction path with a dedicated lock and adds a sanity check that validates the `mapping` pointer before dereferencing a `struct page`. Distributors should backport these changes to LTS branches (e.g., 5.15.147, 6.1.107). In environments where an upgrade is not feasible, applying the supplemental “page‑cache hardening” patch (available from the upstream Git repository) mitigates the race by enforcing a stricter memory‑ordering barrier (`smp_mb()`) around the `page_remove_rmap` and `page_cache_release` calls. As an additional defense-in-depth measure, administrators should enforce the `kernel.dmesg_restrict=1` sysctl, enable SELinux/AppArmor confinement, and limit the ability to create `O_DIRECT` mappings on untrusted filesystems via a custom `mount` option (`no_direct_io`). Monitoring for abnormal `madvise(MADV_DONTNEED)` patterns and sudden changes to `/proc/*/cred` fields can also provide early detection of exploitation attempts.
🛡️ CRITICAL SECURITY SCAN REQUIRED
Evidence suggests your system may be within the blast radius of this threat vector. Use the ZeroDay Radar scanner to verify your integrity immediately.
>> LAUNCH ZERO-DAY THREAT SCANNER <<Source Intelligence: Full Technical Breakdown
0 Comments