CVE-2026-43284, CVE-2026-43500 (DirtyFrag), and CVE-2026-46300 (Fragnesia)

Fragnesia

Title	Fragnesia CVE-2026-46300 [eyeSight][eyeInspect]
URL Name	Fragnesia -2026
Summary	Fragnesia Frag CVE-2026-46300
Exploit	Fragnesia is a universal Linux local privilege escalation exploit, discovered with V12 by William Bowling with the V12 team. Fragnesia is a member of the Dirty Frag vulnerability class. This is a separate bug in the ESP/XFRM from DirtyFrag, which has received its own patch. However, Fragnesia is in the same surface, and the mitigation is the same as the mitigation for DirtyFrag. For detailed information about this vulnerability, please refer to the link below: pocs/fragnesia at main · v12-security/pocs
Impact	CVE-2026-46300 These chained vulnerabilities are only exploitable locally or via vulnerability chaining of potential future remote vulnerabilities in the appliance.
Versions Impacted	eyeSight: 9.1.x, 8.5.x eyeInspect: 5.X
Answer	The eyeSight and eyeInspect appliance currently expose only a single interactive administrative user (cliadmin [eyeSight], silentdefense[eyeInspect]), but it runs multiple non-root system services. As a result, kernel-level local privilege escalation vulnerabilities, such as Fragnesia, can be exploited if any network-facing service is compromised via potential future vulnerabilities that allow for vulnerability chaining to occur.
Community URL	https://forescout.my.site.com/support/s/article/Fragnesia--2026

Mitigation for eyeSight v9.1.x and v8.5.x

Apply the mitigation on all Forescout EMs and appliances:

1. Download the Perl script from the Dirty Frag knowledge article (Mitigation for eyeSight v9.1.x section, step 1).

2. Copy the mitigation script cve-2026-43284.pl to the /usr/local/forescout/tmp directory on each Forescout appliance. After copying the script to the Enterprise Manager (EM), you can use fstool oneach to transfer the script to other appliances.

   Copy the mitigation script cve-2026-43284.pl to the /usr/local/forescout/tmp directory on each Forescout appliance. After copying the script to the Enterprise Manager (EM), you can use fstool oneach to transfer the script to other appliances.

   If the tmp directory does not exist in /usr/local/forescout, create it and delete it after the procedure.

3. Log in to the CLI as root on the EM or appliance.

4. Navigate to the /usr/local/forescout/tmp directory where cve-2026-43284.pl is located.

   Navigate to the /usr/local/forescout/tmp directory where cve-2026-43284.pl is located.

5. Set the script as executable:

6. Verify SHA256 of cve-2026-43284.pl is 84ea9c9475936fb883d627d561526d7860664ac41b2cf67e843545985f4ce38a:

7. Run the mitigation script:

8. After the script completes, verify the mitigation:

Mitigation for eyeInspect v5.x

Apply the mitigation on all Forescout Command Centers and Sensors:

1. Download the Shell script from the Dirty Frag knowledge article (Mitigation for eyeInspect v5.X section, step 1).

2. Copy the mitigation script cve-2026-43284-mitigation.sh to the /home/silentdefense/ directory on each Forescout appliance.

3. Log in to the CLI as ‘silentdefense’ on the appliance.

4. Navigate to the /home/silentdefense/ directory where cve-2026-43284-mitigation.sh is located.

5. Set the script as executable:

6. Run the mitigation script:

Re-execute the script to validate the mitigation:

The output message confirms that the mitigation was applied successfully: