{"uuid": "ffd9861d-ee81-4999-9a8a-5742104f25c0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-46300", "type": "seen", "source": "https://gist.github.com/lukapaunovic/fe02e3a4be7db4c080316fbfec3e50c5", "content": "#!/usr/bin/env bash\nset -Eeuo pipefail\n\n# Fragnesia / CVE-2026-46300 temporary mitigation for Debian 12 / bookworm.\n# This blocks esp4, esp6 and rxrpc from being loaded on the host kernel.\n#\n# Safe for typical QEMU/KVM VPS nodes that do not terminate IPsec/ESP on the host.\n# This can break host-level IPsec/strongSwan/Libreswan ESP usage, or AFS/rxrpc usage.\n\nCONF_FILE=\"/etc/modprobe.d/fragnesia.conf\"\nMODULE_PATTERN='^(esp4|esp6|rxrpc)\\b'\n\nif [[ \"${EUID}\" -ne 0 ]]; then\n    echo \"ERROR: Run this script as root.\"\n    exit 1\nfi\n\necho \"[1/6] Writing module block rules to ${CONF_FILE}\"\n\ncat > \"${CONF_FILE}\" <<'EOF'\n# Fragnesia / CVE-2026-46300 temporary mitigation.\n# Blocks future loading of vulnerable modules through modprobe.\n\ninstall esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\nEOF\n\necho \"[2/6] Trying to unload modules if already loaded\"\n\nmodprobe -r esp4 esp6 rxrpc 2>/dev/null || true\n\necho \"[3/6] Checking currently loaded modules\"\n\nif lsmod | grep -E \"${MODULE_PATTERN}\"; then\n    echo \"WARNING: One or more vulnerable modules are still loaded.\"\n    echo \"They may be in use by IPsec/ESP or rxrpc/AFS on this host.\"\nelse\n    echo \"OK: esp4/esp6/rxrpc not loaded\"\nfi\n\necho \"[4/6] Updating initramfs if update-initramfs exists\"\n\nif command -v update-initramfs >/dev/null 2>&1; then\n    update-initramfs -u -k all\n    echo \"OK: initramfs updated\"\nelse\n    echo \"WARNING: update-initramfs not found, skipping\"\nfi\n\necho \"[5/6] Flushing filesystem buffers and dropping caches\"\n\nsync\necho 3 > /proc/sys/vm/drop_caches\n\necho \"[6/6] Verifying that modules are blocked\"\n\nmodprobe esp4 2>/dev/null || echo \"OK: esp4 blocked\"\nmodprobe esp6 2>/dev/null || echo \"OK: esp6 blocked\"\nmodprobe rxrpc 2>/dev/null || echo \"OK: rxrpc blocked\"\n\nif lsmod | grep -E \"${MODULE_PATTERN}\"; then\n    echo \"WARNING: Vulnerable module still loaded after mitigation.\"\n    echo \"Check host-level IPsec/ESP/rxrpc usage.\"\n    exit 2\nelse\n    echo \"OK: vulnerable modules not loaded\"\nfi\n\ncat <<'EOF'\n\nDone.\n\nDebian 12 / bookworm security repo and kernel update notes:\n\n1. Check current kernel:\n\n   uname -r\n\n2. Make sure Debian 12 security repo exists.\n\n   Official Debian 12 / bookworm security repo line:\n\n   deb http://security.debian.org/ bookworm-security main contrib non-free non-free-firmware\n\n   Example add command for classic /etc/apt/sources.list syntax:\n\n   grep -R \"bookworm-security\" /etc/apt/sources.list /etc/apt/sources.list.d/*.list /etc/apt/sources.list.d/*.sources 2>/dev/null || \\\n   echo \"deb http://security.debian.org/ bookworm-security main contrib non-free non-free-firmware\" >> /etc/apt/sources.list\n\n3. Update package index:\n\n   apt update\n\n4. Upgrade currently available Debian 12 security/kernel packages:\n\n   apt install --only-upgrade linux-image-amd64 linux-headers-amd64\n\n   Or, if you want all available stable/security updates too:\n\n   apt upgrade\n\n5. If you are using Debian 12 backports kernel, for example:\n\n   6.12.x+deb12-amd64\n\n   then make sure bookworm-backports exists:\n\n   grep -R \"bookworm-backports\" /etc/apt/sources.list /etc/apt/sources.list.d/*.list /etc/apt/sources.list.d/*.sources 2>/dev/null || \\\n   echo \"deb http://deb.debian.org/debian bookworm-backports main contrib non-free non-free-firmware\" >> /etc/apt/sources.list\n\n   Then update APT and install/upgrade kernel from backports:\n\n   apt update\n   apt install -t bookworm-backports linux-image-amd64 linux-headers-amd64\n\n6. If a new fixed kernel is installed, reboot into it:\n\n   reboot\n\n7. After reboot, verify:\n\n   uname -r\n   dpkg -l | grep -E '^ii\\s+linux-image'\n   lsmod | grep -E '^(esp4|esp6|rxrpc)\\b' || echo \"OK: vulnerable modules not loaded\"\n\n8. After Debian releases a fixed kernel for CVE-2026-46300, you can remove this temporary mitigation only if you need IPsec/ESP/rxrpc:\n\n   rm -f /etc/modprobe.d/fragnesia.conf\n   update-initramfs -u -k all\n   reboot\n\nImportant notes:\n\n- Do not add Debian 13 / trixie repositories to Debian 12 just to get a kernel fix.\n- For normal Debian 12 stable kernel, use bookworm-security.\n- For Debian 12 backports kernel, use bookworm-backports with apt install -t bookworm-backports.\n- Keep this mitigation enabled until the installed kernel is confirmed fixed.\n\nEOF", "creation_timestamp": "2026-05-15T08:41:14.000000Z"}