CVE-2026-46300 — Fragnesia

On the 13th of May, 2026, CVE-2026-46300 was announced, also known as "Fragnesia".

This is a Linux kernel local privilege escalation vulnerability in the ESP (Encapsulating Security Payload) module, related to the same class of issues as the dirty frag vulnerability. It has been assigned a HIGH severity by Ubuntu.

Impact to LiquidFiles

Does this impact LiquidFiles — No.

CVE-2026-46300 requires local shell access to the system to exploit. An attacker would need an OS-level account with shell access on the server itself.

LiquidFiles application users do not have shell access to the underlying operating system — they interact exclusively through the web interface. Shell access is restricted to system administrators only, who are already fully trusted. There is no path from the LiquidFiles application layer to the kernel's ESP subsystem.

Additionally, the affected kernel modules esp4, esp6, and rxrpc are not present on the LiquidFiles appliance, so the vulnerability is also mitigated at the system level regardless of the kernel version in use.

When will this be fixed

You can check the current patch status on the Ubuntu security tracker.

If and when a kernel update is released and you have Automatic Updates enabled as recommended, the updated kernel package will be applied automatically and your system will be mitigated at the OS level as well.