Key Takeaways
- CVE‑2026‑46331 (pedit COW) is a local privilege‑escalation flaw in the Linux kernel’s traffic‑control (tc) subsystem that lets attackers modify the in‑memory cached copy of setuid‑root binaries without touching files on disk.
- The vulnerability stems from an incorrect copy‑on‑write (COW) calculation in
tcf_pedit_act(), allowing writes to spill into shared page‑cache memory. - A functional proof‑of‑concept appeared within 24 hours of the patch being posted, demonstrating exploitation on RHEL 10, Debian 13 (Trixie) and certain Ubuntu releases.
- Successful exploitation requires the
act_peditkernel module to be loadable and the system to permit unprivileged user namespaces (providing CAP_NET_ADMIN in a user namespace). - Traditional file‑integrity monitoring tools cannot detect the attack because the on‑disk binary remains unchanged; flushing the page cache only removes the corrupted copy, not any already‑established privileged processes.
- Mitigation: apply vendor‑supplied kernel patches and reboot; if immediate patching isn’t possible, disable the
act_peditmodule or restrict unprivileged user namespaces where feasible.
Overview of the pedit COW Vulnerability
A newly disclosed Linux kernel vulnerability, tracked as CVE‑2026‑46331 and nicknamed “pedit COW,” provides threat actors with a rapid path to root privileges. The flaw resides in the traffic‑control (tc) subsystem, specifically within the packet‑editor (pedit) functionality. By exploiting a memory‑corruption bug, attackers can poison the in‑memory page‑cache copy of privileged executables such as /bin/su while leaving the on‑disk files untouched, thereby bypassing many conventional integrity‑checking mechanisms.
Location of the Flaw in the Kernel
The vulnerability exists in the Linux kernel’s networking stack, more precisely in the traffic‑control framework used for packet scheduling, shaping, filtering, and modification. One of tc’s features, pedit, permits administrators to rewrite packet headers on the fly. The core routine responsible for applying these modifications is tcf_pedit_act(), which under normal conditions employs a copy‑on‑write (COW) mechanism to ensure that edits occur on a private memory copy rather than on shared pages.
Root Cause: Miscalculated Copy‑On‑Write Range
According to the upstream kernel patch, the vulnerable implementation calculated the writable memory range before runtime offsets associated with typed packet‑editing keys were fully resolved. This premature calculation meant that subsequent writes could extend beyond the privately copied region, allowing modifications to occur on shared page‑cache memory instead of isolated copies. The fix relocates the COW operation inside the per‑key processing loop—where the actual write offsets are known—and adds additional bounds and overflow validation to prevent the overrun.
How the Exploit Works
Researchers demonstrated that the flaw can be leveraged to poison the page‑cache copy of privileged binaries. Rather than altering the file stored on persistent storage, the exploit injects malicious code directly into the kernel’s cached image held in memory. When the executable is subsequently launched, Linux loads the manipulated cached image, granting the attacker root privileges while the original binary on disk appears unchanged. Because the disk image remains intact, standard integrity‑validation tools—such as checksum monitors or file‑integrity scanners—may report no signs of tampering despite the system already being compromised.
Speed of Public Exploit Release
The rapid availability of a working proof‑of‑concept intensified concerns among defenders. Kernel developers initially posted the fix to the Linux networking (netdev) mailing list as a routine data‑correction patch, not flagging it as a security issue. After the patch was merged into the kernel on June 16, 2026 and assigned CVE‑2026‑46331, researchers published a fully functional exploit within roughly twenty‑four hours. This swift transition from patch disclosure to weaponized code highlights a recurring challenge: detailed upstream patches often reveal exploitable conditions before many organizations have applied updates or vulnerability scanners begin flagging affected systems.
Prerequisites for Exploitation
Although the vulnerability cannot be exploited remotely on its own, local code execution under specific configurations suffices. Researchers identified two primary prerequisites:
- The
act_peditkernel module must be available or loadable on the target system. - The system must permit unprivileged user namespaces, enabling attackers to obtain namespace‑scoped CAP_NET_ADMIN privileges required to configure vulnerable traffic‑control actions.
These conditions are common on hosts running containerized workloads, development environments, rootless container runtimes, and shared Linux infrastructure. Proof‑of‑concept exploits succeeded on Red Hat Enterprise Linux 10 and Debian 13 (Trixie) under default settings. Ubuntu 24.04 remained exploitable when AppArmor allowed user namespaces, whereas Ubuntu 26.04’s default AppArmor profile blocked the published attack path despite the underlying kernel flaw persisting until patched.
Vendor Responses and Advisories
Major Linux vendors have begun issuing security advisories. Red Hat classifies the issue as an Important vulnerability affecting supported RHEL 8, RHEL 9, and RHEL 10 releases (RHEL 7 is not listed). Debian has released updates for Debian 13 (Trixie), with older releases pending further patches at the time of publication. Ubuntu’s security tracking pages flag multiple supported releases as affected until updated kernel packages become available. The vulnerability has also been entered into the National Vulnerability Database following its disclosure by kernel.org.
Relation to Prior Page‑Cache Attacks
Security researchers note that pedit COW fits into a growing family of Linux page‑cache corruption vulnerabilities. Earlier high‑profile flaws—such as Dirty COW (CVE‑2016‑5195), Dirty Pipe, and related issues—shared a common design weakness: privileged kernel operations inadvertently wrote into shared memory pages rather than isolated copies, creating openings for local privilege escalation. While the exact implementation differs, pedit COW underscores that page‑cache corruption remains a recurring attack surface, especially when performance optimizations interact with complex memory‑management mechanisms.
Recommended Mitigations
Defenders should prioritize applying vendor‑supplied kernel updates and rebooting systems to ensure the vulnerable code is replaced. If immediate patching is not feasible, administrators can temporarily disable the act_pedit kernel module on systems that do not rely on packet‑editing traffic‑control rules. Another option is to restrict unprivileged user namespaces, although this may impact rootless container platforms, continuous‑integration pipelines, browser sandboxes, and other modern Linux workloads that depend on this feature. Organizations operating multi‑user servers, Kubernetes clusters, CI/CD runners, academic computing clouds, or any environment where local users cannot be fully trusted should treat the flaw as high‑risk and remediate promptly.
Conclusion
The emergence of pedit COW once again demonstrates how seemingly routine kernel maintenance patches can conceal high‑impact security flaws. As the Linux kernel continues to evolve, monitoring upstream development activity alongside traditional vulnerability advisories becomes essential for reducing exposure before public exploits become widely available. By applying timely patches, restricting unnecessary modules or namespace privileges, and maintaining vigilant detection practices, defenders can mitigate the risk posed by this and similar page‑cache‑based privilege‑escalation threats.