---
title: "CVE-2026-46300 Fragnesia XFRM Mitigation"
description: "Fragnesia CVE-2026-46300 mitigation demo showing agentsh blocking the NETLINK_XFRM setup socket used to reach ESP-in-TCP attack paths."
doc_version: "1.0"
last_updated: "2026-05-18"
canonical: "https://www.agentsh.org/mitigations/demo-cve-2026-46300/"
---

# CVE-2026-46300 Fragnesia XFRM Mitigation

## Overview

This mitigation demo shows agentsh blocking the XFRM ESP-in-TCP setup socket used by Fragnesia CVE-2026-46300. The vulnerable run can reach the XFRM setup path; the protected run denies it at the execution layer.

## Mitigation

The DirtyFrag conservative mitigation set includes the AF_NETLINK and NETLINK_XFRM boundary needed to close this path. The policy result is deterministic and appears in the agentsh audit log.

## Sitemap

- [Canonical HTML](https://www.agentsh.org/mitigations/demo-cve-2026-46300/)
- [Site map](https://www.agentsh.org/sitemap.md)
- [Full documentation](https://www.agentsh.org/llms-full.md)