Full Report
A flaw in the Linux kernel's traffic-control subsystem can let a local unprivileged user gain root on affected systems. CVE-2026-46331, nicknamed "pedit COW," is an out-of-bounds write in the packet-editing action (act_pedit) that corrupts shared page-cache memory. A public, working exploit appeared within a day of the CVE assignment on June 16. Red Hat rates the flaw as
Analysis Summary
# Vulnerability: Linux Kernel "pedit COW" Local Privilege Escalation
## CVE Details
- **CVE ID:** CVE-2026-46331
- **CVSS Score:** N/A (Red Hat rates as "Important")
- **CWE:** CWE-787 (Out-of-bounds Write) / CWE-119
## Affected Systems
- **Products:** Linux Kernel (Traffic Control Subsystem)
- **Versions:**
- **Debian:** 11 (Bullseye), 12 (Bookworm), 13 (Trixie - Fixed)
- **Ubuntu:** 18.04, 20.04, 22.04, 24.04, 26.04 (Vulnerable as of June 25)
- **Red Hat:** RHEL 8, 9, 10
- **Configurations:** Systems where `act_pedit` is loadable and unprivileged user namespaces are enabled.
## Vulnerability Description
The flaw exists in `tcf_pedit_act()`, a function within the Linux kernel's traffic-control (tc) subsystem. The function is designed to rewrite packet headers using a copy-on-write (COW) mechanism. However, it fails to correctly calculate offsets for certain edit keys that resolve at runtime. Because the writable range is checked only once before final offsets are determined, the kernel may perform a write outside of the privately copied memory region. This results in an out-of-bounds write that corrupts the shared page cache.
## Exploitation
- **Status:** PoC available; exploited in the wild.
- **Complexity:** Low (Scripted exploits available).
- **Attack Vector:** Local (Requires unprivileged user access).
## Impact
- **Confidentiality:** High (Full system access/Root).
- **Integrity:** High (Memory corruption of system binaries).
- **Availability:** High (Potential for system instability or hijacking).
## Remediation
### Patches
- **Debian:** Update to fixed versions via the security tracker for Debian 13.
- **General:** Install the latest kernel updates from your distribution provider and reboot the system to ensure the patched kernel is active.
### Workarounds
- **Disable the affected module:** If `tc pedit` is not required, prevent the module from loading:
`echo 'install act_pedit /bin/true' | sudo tee /etc/modprobe.d/disable-act_pedit.conf`
- **Restrict User Namespaces:** Disable unprivileged user namespaces to remove the attacker's ability to gain the necessary `CAP_NET_ADMIN` privileges:
- RHEL: `sysctl -w user.max_user_namespaces=0`
- Debian/Ubuntu: `sysctl -w kernel.unprivileged_userns_clone=0`
*(Note: This may impact container runtimes and browser sandboxing).*
## Detection
- **Indicators of Compromise:** Presence of unauthorized root shells or unexpected processes running with UID 0.
- **Detection Methods:** Monitor for the execution of the `tc` command by unprivileged users, especially within new user namespaces. Note that standard file-integrity checkers (e.g., AIDE, Tripwire) may not detect this attack as it targets the in-memory page cache rather than the file on disk.
- **Memory Purge:** Running `echo 3 > /proc/sys/vm/drop_caches` will clear the poisoned cache, though it will not terminate existing malicious sessions.
## References
- **NVD Entry:** [https://nvd.nist.gov/vuln/detail/CVE-2026-46331]
- **Red Hat Advisory:** [https://access.redhat.com/security/vulnerabilities/RHSB-2026-008]
- **Debian Security Tracker:** [https://security-tracker.debian.org/tracker/CVE-2026-46331]
- **Ubuntu Security: CVE-2026-46331:** [https://ubuntu.com/security/CVE-2026-46331]
- **Mailing List Archive:** [https://lists.openwall.net/netdev/2026/05/23/133]