Created
May 15, 2026 08:41
-
-
Save lukapaunovic/fe02e3a4be7db4c080316fbfec3e50c5 to your computer and use it in GitHub Desktop.
Fragnesia (CVE-2026-46300) - Debian 12 patch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| set -Eeuo pipefail | |
| # Fragnesia / CVE-2026-46300 temporary mitigation for Debian 12 / bookworm. | |
| # This blocks esp4, esp6 and rxrpc from being loaded on the host kernel. | |
| # | |
| # Safe for typical QEMU/KVM VPS nodes that do not terminate IPsec/ESP on the host. | |
| # This can break host-level IPsec/strongSwan/Libreswan ESP usage, or AFS/rxrpc usage. | |
| CONF_FILE="/etc/modprobe.d/fragnesia.conf" | |
| MODULE_PATTERN='^(esp4|esp6|rxrpc)\b' | |
| if [[ "${EUID}" -ne 0 ]]; then | |
| echo "ERROR: Run this script as root." | |
| exit 1 | |
| fi | |
| echo "[1/6] Writing module block rules to ${CONF_FILE}" | |
| cat > "${CONF_FILE}" <<'EOF' | |
| # Fragnesia / CVE-2026-46300 temporary mitigation. | |
| # Blocks future loading of vulnerable modules through modprobe. | |
| install esp4 /bin/false | |
| install esp6 /bin/false | |
| install rxrpc /bin/false | |
| EOF | |
| echo "[2/6] Trying to unload modules if already loaded" | |
| modprobe -r esp4 esp6 rxrpc 2>/dev/null || true | |
| echo "[3/6] Checking currently loaded modules" | |
| if lsmod | grep -E "${MODULE_PATTERN}"; then | |
| echo "WARNING: One or more vulnerable modules are still loaded." | |
| echo "They may be in use by IPsec/ESP or rxrpc/AFS on this host." | |
| else | |
| echo "OK: esp4/esp6/rxrpc not loaded" | |
| fi | |
| echo "[4/6] Updating initramfs if update-initramfs exists" | |
| if command -v update-initramfs >/dev/null 2>&1; then | |
| update-initramfs -u -k all | |
| echo "OK: initramfs updated" | |
| else | |
| echo "WARNING: update-initramfs not found, skipping" | |
| fi | |
| echo "[5/6] Flushing filesystem buffers and dropping caches" | |
| sync | |
| echo 3 > /proc/sys/vm/drop_caches | |
| echo "[6/6] Verifying that modules are blocked" | |
| modprobe esp4 2>/dev/null || echo "OK: esp4 blocked" | |
| modprobe esp6 2>/dev/null || echo "OK: esp6 blocked" | |
| modprobe rxrpc 2>/dev/null || echo "OK: rxrpc blocked" | |
| if lsmod | grep -E "${MODULE_PATTERN}"; then | |
| echo "WARNING: Vulnerable module still loaded after mitigation." | |
| echo "Check host-level IPsec/ESP/rxrpc usage." | |
| exit 2 | |
| else | |
| echo "OK: vulnerable modules not loaded" | |
| fi | |
| cat <<'EOF' | |
| Done. | |
| Debian 12 / bookworm security repo and kernel update notes: | |
| 1. Check current kernel: | |
| uname -r | |
| 2. Make sure Debian 12 security repo exists. | |
| Official Debian 12 / bookworm security repo line: | |
| deb http://security.debian.org/ bookworm-security main contrib non-free non-free-firmware | |
| Example add command for classic /etc/apt/sources.list syntax: | |
| grep -R "bookworm-security" /etc/apt/sources.list /etc/apt/sources.list.d/*.list /etc/apt/sources.list.d/*.sources 2>/dev/null || \ | |
| echo "deb http://security.debian.org/ bookworm-security main contrib non-free non-free-firmware" >> /etc/apt/sources.list | |
| 3. Update package index: | |
| apt update | |
| 4. Upgrade currently available Debian 12 security/kernel packages: | |
| apt install --only-upgrade linux-image-amd64 linux-headers-amd64 | |
| Or, if you want all available stable/security updates too: | |
| apt upgrade | |
| 5. If you are using Debian 12 backports kernel, for example: | |
| 6.12.x+deb12-amd64 | |
| then make sure bookworm-backports exists: | |
| grep -R "bookworm-backports" /etc/apt/sources.list /etc/apt/sources.list.d/*.list /etc/apt/sources.list.d/*.sources 2>/dev/null || \ | |
| echo "deb http://deb.debian.org/debian bookworm-backports main contrib non-free non-free-firmware" >> /etc/apt/sources.list | |
| Then update APT and install/upgrade kernel from backports: | |
| apt update | |
| apt install -t bookworm-backports linux-image-amd64 linux-headers-amd64 | |
| 6. If a new fixed kernel is installed, reboot into it: | |
| reboot | |
| 7. After reboot, verify: | |
| uname -r | |
| dpkg -l | grep -E '^ii\s+linux-image' | |
| lsmod | grep -E '^(esp4|esp6|rxrpc)\b' || echo "OK: vulnerable modules not loaded" | |
| 8. After Debian releases a fixed kernel for CVE-2026-46300, you can remove this temporary mitigation only if you need IPsec/ESP/rxrpc: | |
| rm -f /etc/modprobe.d/fragnesia.conf | |
| update-initramfs -u -k all | |
| reboot | |
| Important notes: | |
| - Do not add Debian 13 / trixie repositories to Debian 12 just to get a kernel fix. | |
| - For normal Debian 12 stable kernel, use bookworm-security. | |
| - For Debian 12 backports kernel, use bookworm-backports with apt install -t bookworm-backports. | |
| - Keep this mitigation enabled until the installed kernel is confirmed fixed. | |
| EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment