Broadcom released a security update for VMware Fusion to fix CVE-2026-41702, a high-severity local privilege escalation that lets any non-administrative user on a Mac running Fusion become root on the host. The flaw is a time-of-check time-of-use race condition inside a SETUID binary used by Fusion - the kind of bug that turns a foothold on a developer workstation into full host control. Researcher Mathieu Farrell reported it privately. Broadcom rated the issue 'important' (CVSSv3 7.8). The advisory landed the same week as Pwn2Own Berlin, where VMware ESXi exploits can earn participants up to 200,000 dollars - Broadcom is on-site.
Six days after Dirty Frag was patched, researcher William Bowling and the V12 Security team disclosed Fragnesia - a separate Linux kernel bug in the same ESP-in-TCP networking code that lets any unprivileged local user become root in one command. The public proof-of-concept overwrites /usr/bin/su in memory using a logic flaw that loses track of shared socket-buffer fragments, then re-runs su to drop into a root shell. The on-disk binary is left untouched, which makes the change harder to spot. Tracked as CVE-2026-46300 (CVSS 7.8), it follows Copy Fail (April 29) and Dirty Frag (May 7) in the same family.
Researcher Hyunwoo Kim disclosed Dirty Frag yesterday after an unrelated third party broke the embargo five days early. The flaw chains two Linux kernel page-cache write bugs (xfrm-ESP and RxRPC) to give any local user root access on every major distribution - Ubuntu, RHEL, CentOS Stream, AlmaLinux, openSUSE Tumbleweed, Fedora. Like Dirty Pipe and last week's Copy Fail, it's a deterministic logic bug with no race condition required and no kernel panic on failure. PoC is public on GitHub. The ESP variant patch was merged into the netdev tree on May 7 but distribution kernels remain unpatched. No CVE assigned yet because the embargo broke early.