28 lines
846 B
Markdown
28 lines
846 B
Markdown
# Fragnesia — CVE pending
|
|
|
|
> ⚪ **PLANNED** stub. See [`../../ROADMAP.md`](../../ROADMAP.md)
|
|
> Phase 7+.
|
|
|
|
## Summary
|
|
|
|
ESP shared-frag in-place encrypt path can be coerced into writing
|
|
into the page cache of an unrelated file. Same primitive shape as
|
|
Dirty Frag, different reach.
|
|
|
|
## Status
|
|
|
|
Audit-stage. See
|
|
`security-research/findings/audit_leak_write_modprobe_backups_2026-05-16.md`
|
|
section on backup primitives. Notably: trigger appears to require
|
|
CAP_NET_ADMIN inside a userns netns. On kCTF (shared net_ns) that's
|
|
cap-dead, but on host systems where user_ns clone is enabled it's
|
|
reachable.
|
|
|
|
## Decision needed before implementing
|
|
|
|
Is the unprivileged-userns-netns scenario in scope for IAMROOT? If
|
|
yes, this module ships. If we restrict to "default Linux user
|
|
account, no namespace tricks," this module is out of scope.
|
|
|
|
## Not started.
|