SaaS Metrics
GitHub Issue
exploit doesn´t work with ipv6.disable=1
On Fedora44, with kernel cmdline: `BOOT_IMAGE=(hd0,gpt2)/vmlinuz-7.0.4-200.fc44.x86_64 root=UUID=331c8af0-5541-424c-9ec8-bda9e22cdadb ro rhgb quiet ipv6.disable=1`
```
user@f44:~/workspace/pocs/fragnesia$ ./exp
[*] uid=1000 euid=1000 gid=1000 egid=1000
[*] mode=xfrm_espintcp_pagecache_replace collateral=after
[*] target=/usr/bin/su size=57184
outer_write_open_denied=1 errno=13 (Permission denied)
userns_setup: outer_uid=1000 outer_gid=1000 ns_uid=0 ns_gid=0
netns_setup=1
loopback_up=1
namespace_gate_failed: XFRM_MSG_NEWSA ack errno=93 (Protocol not supported)
```
View Raw Thread
Developer & User Discourse
oebeledrijfhout • May 14, 2026
I don´t think they are necessary but anyway, it gives the same result:
```
user@f44:~/workspace/pocs/fragnesia$ ls -l /tmp/
total 0
-rw-r--r--. 1 root root 0 14 mei 17:48 frag
```
```
user@f44:~/workspace/pocs/fragnesia$ ./exp /tmp/frag 0 42434445
[*] uid=1000 euid=1000 gid=1000 egid=1000
[*] mode=xfrm_espintcp_pagecache_replace collateral=after
[*] target=/usr/bin/su size=57184
outer_write_open_denied=1 errno=13 (Permission denied)
userns_setup: outer_uid=1000 outer_gid=1000 ns_uid=0 ns_gid=0
netns_setup=1
loopback_up=1
namespace_gate_failed: XFRM_MSG_NEWSA ack errno=93 (Protocol not supported)
```
```
user@f44:~/workspace/pocs/fragnesia$ ls -l /tmp/
total 0
-rw-r--r--. 1 root root 0 14 mei 17:48 frag
```
```
user@f44:~/workspace/pocs/fragnesia$ ./exp /tmp/frag 0 42434445
[*] uid=1000 euid=1000 gid=1000 egid=1000
[*] mode=xfrm_espintcp_pagecache_replace collateral=after
[*] target=/usr/bin/su size=57184
outer_write_open_denied=1 errno=13 (Permission denied)
userns_setup: outer_uid=1000 outer_gid=1000 ns_uid=0 ns_gid=0
netns_setup=1
loopback_up=1
namespace_gate_failed: XFRM_MSG_NEWSA ack errno=93 (Protocol not supported)
```
offsecguy • May 14, 2026
args are absolutely required.
XFRM_MSG_NEWSA creates IPsec Security Associations, ESP modules (esp4/esp6) are the transport layer for those SAs.
Check to see if you have those available:
# Method 1: Check if modules are currently loaded
lsmod | grep esp
# Method 2: Check if module files exist on disk
ls -la /lib/modules/$(uname -r)/kernel/net/ipv4/esp4.ko* 2>/dev/null
ls -la /lib/modules/$(uname -r)/kernel/net/xfrm/esp6.ko* 2>/dev/null
# Method 3: Try to load them (requires root)
sudo modprobe esp4 && echo "esp4: OK" || echo "esp4: BLOCKED/MISSING"
sudo modprobe esp6 && echo "esp6: OK" || echo "esp6: BLOCKED/MISSING"
# Method 4: Check modprobe blacklist
grep -r "esp4\|esp6" /etc/modprobe.d/
# Method 5: Check if modules can be found in module index
modinfo esp4
modinfo esp6
XFRM_MSG_NEWSA creates IPsec Security Associations, ESP modules (esp4/esp6) are the transport layer for those SAs.
Check to see if you have those available:
# Method 1: Check if modules are currently loaded
lsmod | grep esp
# Method 2: Check if module files exist on disk
ls -la /lib/modules/$(uname -r)/kernel/net/ipv4/esp4.ko* 2>/dev/null
ls -la /lib/modules/$(uname -r)/kernel/net/xfrm/esp6.ko* 2>/dev/null
# Method 3: Try to load them (requires root)
sudo modprobe esp4 && echo "esp4: OK" || echo "esp4: BLOCKED/MISSING"
sudo modprobe esp6 && echo "esp6: OK" || echo "esp6: BLOCKED/MISSING"
# Method 4: Check modprobe blacklist
grep -r "esp4\|esp6" /etc/modprobe.d/
# Method 5: Check if modules can be found in module index
modinfo esp4
modinfo esp6
offsecguy • May 14, 2026
....
oebeledrijfhout • May 14, 2026
They're not required. In fact, they are explicitly ignored: https://github.com/v12-security/pocs/blob/7b5fc577c3d9ad386cc109b1eb7b02623f48ca13/fragnesia/fragnesia.c#L1300
I successfully exploited on the same system when booted without `ipv6.disable=1`. That was the only difference. I don´t know C but I can see the ipv6-specific code in the source, for example: https://github.com/v12-security/pocs/blob/7b5fc577c3d9ad386cc109b1eb7b02623f48ca13/fragnesia/fragnesia.c#L738
Try it for yourself: `sudo grubby --update-kernel=ALL --args="ipv6.disable=1"`, reboot, then run `./exp` with or without arguments.
I successfully exploited on the same system when booted without `ipv6.disable=1`. That was the only difference. I don´t know C but I can see the ipv6-specific code in the source, for example: https://github.com/v12-security/pocs/blob/7b5fc577c3d9ad386cc109b1eb7b02623f48ca13/fragnesia/fragnesia.c#L738
Try it for yourself: `sudo grubby --update-kernel=ALL --args="ipv6.disable=1"`, reboot, then run `./exp` with or without arguments.
./exp /tmp/root-owned-copy 0 42434445