Date: 2026-05-13
Updated: 2026-05-29 - handled via EGI-SVG-2026-17
Updated: 2026-05-21
NOTE:
All running resources MUST be either patched or have mitigation in place or affected services disabled by 2026-05-21, 00:00 UTC.
Sites failing to act or respond to requests from the EGI CSIRT team risk site suspension.
CRITICAL risk vulnerability concerning the Linux kernel with yet another very easy public exploit leading to local privilege escalation to root. It is extensively described at [R 1] [R 2] [R 3] [R 9].
EGI SVG ID : EGI-SVG-2026-15
CVE ID : CVE-2026-46300
CVSSv3 Score:
Urgent action is required on hosts giving access to unprivileged users, e.g. grid worker nodes, but also container hosts, notebook servers and CI runners.
At the time of writing, fixed kernels are only available for some of the relevant distributions. Please check the references listed at the bottom of this advisory for your distribution(s), update and reboot affected systems as soon as feasible.
Please apply these mitigation commands on affected hosts in the meantime:
modprobe -r esp4 esp6 rxrpc
cat >/etc/modprobe.d/mitigation-dirtyfrag.conf <<'EOF'
install esp4 /bin/false
install esp6 /bin/false
install rxrpc /bin/false
blacklist esp4
blacklist esp6
blacklist rxrpc
EOF
echo 3 > /proc/sys/vm/drop_caches
They are sufficient to prevent the published exploits and are not expected to affect vital functionality. A reboot is not needed just to apply those mitigations.
Compared to the CVSS risk assessment detailed in [R 4], in some of our deployment scenarios, the “Scope” parameter needs to have “Changed” as value, which causes the EGI SVG score to have a significantly higher, more appropriate value.
TLP:CLEAR information - Unlimited distribution
https://advisories.egi.eu/Advisory-EGI-SVG-2026-15
https://advisories.egi.eu/Advisory-SVG-CVE-2026-46300
Minor updates may be made without re-distribution to the sites.
This advisory is subject to the Creative Commons licence
https://creativecommons.org/licenses/by/4.0/ and
the EGI (https://www.egi.eu/) Software Vulnerability Group
must be credited. -----------------------------
See [R 99] for further details, and other information on SVG.
SVG was alerted to this vulnerability by the EGI CSIRT