Sütiket használunk, hogy segítsenek javítani weboldalunkat. Kérjük, olvassa el a Cookie szabályzat .
ASUSTOR termékbiztonsági tanácsadás

AS-2026-009: Linux Kernel (Fragnesia)

2026-05-18

Severity

Moderate

Status

Ongoing

Statement

"Fragnesia" is a variant of Dirty Frag vulnerability in the ESP/XFRM leading to Local Privilege Escalation (LPE) vulnerability in the Linux kernel. If the vulnerability is exploited, it allows an authenticated local user with standard privileges to gain the root permissions.

  • CVE-2026-46300 affects certain ASUSTOR products that have installed VPN server through App Central and have Linux kernel versions higher than 4.11 and ADM versions ranging from 4.1 to 5.1. Updates with Linux Kernel Patch in VPN Server will be released as soon as possible.

Affected Products

Product Severity Fixed Release Availability
ADM 5.0 with VPN server installed Important Ongoing
ADM 4.3, ADM 4.2 and 4.1 with VPN server installed Important Ongoing

NOT affected NAS models:

  • Drivestor (AS1102T, AS1104T)
  • Drivestor Pro (AS3302T, AS3304T)
  • AS4002T, AS4004T

Mitigation

For NAS models with VPN server installed on ADM 4.1 to ADM 5.1, please disable or remove VPN server app before the upgraded app is available.


Detail

  • CVE-2026-46300
    • Severity: High
    • CVSS3.1 Base Score: 7.8
    • CVSS3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    • A flaw was found in the Linux kernel's XFRM ESP-in-TCP subsystem. Unsafe in-place cryptographic processing allows a low-privileged local attacker to write arbitrary bytes into the page cache of read-only files, including sensitive system files. An attacker can exploit this to overwrite privileged binaries and gain root privileges.

Reference


Revision

Revision Date Description
1 2026-05-18 Initial public release.