The "Fragnesia" (CVE-2026-46300) [1] and "ssh-keysign-pwn"
(CVE-2026-46333) [2] vulnerabilities have been resolved in the
following Fedora CoreOS releases:
- next: 44.20260510.1.3
- testing: 44.20260510.2.3
Since the fixed kernels are 7.0 kernels, a `stable` stream fix will be
promoted when `testing` is promoted to `stable` next week. In the
meantime, we recommend applying the mitigations below to `stable` stream
nodes.
== Fragnesia (CVE-2026-46300) ==
This vulnerability can be mitigated by disabling the affected kernel
modules via the following Butane config snippet:
storage:
files:
- path: /etc/modprobe.d/dirtyfrag.conf
contents:
inline: |
install esp4 /bin/false
install esp6 /bin/false
install rxrpc /bin/false
blacklist esp4
blacklist esp6
blacklist rxrpc
alias net-pf-33 off
alias xfrm-type-2-50 off
alias xfrm-type-10-50 off
or by creating the same file on already running systems.
If the impacted modules are already loaded on the system then a reboot
will be required and the functionality (IPsec and AFS) will be
disabled. Otherwise, the mitigation will be effective immediately.
== ssh-keysign-pwn (CVE-2026-46333) ==
This vulnerability can be mitigated by disabling ptrace access via the
following Butane config snippet:
storage:
files:
- path: /etc/sysctl.d/10-default-yama-scope.conf
contents:
inline: |
kernel.yama.ptrace_scope = 3
or by creating the same file on already running systems and running:
/usr/lib/systemd/systemd-sysctl 10-default-yama-scope.conf
== Reference ==
For detailed information regarding these CVEs, see our tracking
issues [1] [2].
Michael Armijo
for The Fedora CoreOS Team
[1] https://github.com/coreos/fedora-coreos-tracker/issues/2144
[2] https://github.com/coreos/fedora-coreos-tracker/issues/2147
