NewsSecurity

pedit COW CVE-2026-46331: Any Linux User Can Get Root Now

32 views0
Linux kernel pedit COW vulnerability CVE-2026-46331 diagram showing page cache poisoning exploit path
CVE-2026-46331 (pedit COW): Linux traffic-control flaw enables local privilege escalation via page cache poisoning
ByteBotBy
Share

A Linux kernel bug patched in May as a routine data-corruption fix just became a weaponized local root exploit. CVE-2026-46331, nicknamed pedit COW, sits in the traffic-control subsystem and lets any unprivileged local user poison the in-memory page cache to gain root — no disk writes, no audit logs, no clicks required. A public, author-verified proof of concept (PoC) dropped June 17. If your servers run RHEL 8/9/10 or Debian 13 and have not been rebooted onto a patched kernel, they are exploitable right now.

What Went Wrong in the Kernel

The flaw lives in tcf_pedit_act(), the function that applies edit rules to network packets inside Linux’s traffic-control (tc) subsystem. Before iterating over its edit keys, the function computes a copy-on-write (COW) range once, using a precomputed hint called tcfp_off_max_hint. That hint does not account for the per-key runtime offset that typed keys add when they resolve against actual packet headers at execution time.

Because the COW range is wrong, the write lands outside the private memory region — into the shared page cache that backs real files on disk. Socket buffers (skb) can reference zero-copy pages pulled in via sendfile, which are intentionally shared across processes. Corrupt one of those, and you corrupt the file in every process that has it mapped.

Researcher Massimiliano Oldani’s PoC, packet_edit_meme, takes aim at /bin/su. It overwrites the setuid binary’s cached ELF entry point in memory with shellcode that calls setgid(0); setuid(0); execve("/bin/sh"). The next time any user runs su, they get a root shell. The disk copy of the binary is untouched. File-integrity monitors see nothing.

Who Is Affected

The bug was introduced in kernel commit 899ee91156e5 and spans Linux v5.18 through v7.1-rc6 — roughly four years of production kernels. Two conditions must both be true for exploitation:

  • The act_pedit module is loadable (the default on most enterprise distros)
  • Unprivileged user namespaces are enabled (user.max_user_namespaces > 0, also the default)

Distribution status as of June 28, 2026:

  • RHEL 8, 9, 10 / AlmaLinux 8: Patched — update and reboot
  • Debian 13 (Trixie): Patched — update and reboot
  • Debian 11 / 12: Still unpatched as of June 28, 2026
  • Ubuntu 18.04–26.04: Check Ubuntu Security Notice for your version
  • KernelCare (rebootless patch): Still in testing, not yet available

What to Do Right Now

Three mitigations, in order of preference:

Option 1 — Patch and reboot (strongly preferred):

# RHEL / AlmaLinux
sudo dnf update kernel && sudo reboot

# Debian 13 / Ubuntu
sudo apt update && sudo apt upgrade linux-image-generic && sudo reboot

Option 2 — Block the act_pedit module (safe for most servers):

echo 'install act_pedit /bin/true' | sudo tee /etc/modprobe.d/disable-act_pedit.conf

This does not require a reboot and is safe unless you actively use tc pedit rules for traffic shaping.

Option 3 — Restrict unprivileged user namespaces (breaks containers):

sudo sysctl -w user.max_user_namespaces=0
echo 'user.max_user_namespaces = 0' | sudo tee /etc/sysctl.d/99-pedit-cow.conf

This removes the exploit prerequisite but will break rootless Podman, Docker rootless, and most CI sandbox environments. Use only on hardened servers where containers are not needed.

The Disclosure Problem Nobody Is Talking About

The fix for pedit COW was submitted to the public netdev mailing list in late May under a subject line that read “net/sched: fix pedit partial COW leading to page cache corruption.” No CVE. No security designation. No heads-up to downstream distributors. The patch described the bug clearly enough that anyone reading netdev archives could have built the exploit.

The kernel.org CNA assigned CVE-2026-46331 at merge time on June 16. Oldani’s PoC dropped the next day. Distros were racing to backport a patch for a bug that had been publicly described for weeks.

This is not a one-off. Last week, ByteIota covered DirtyClone (CVE-2026-43503), which followed a nearly identical disclosure arc — public netdev discussion, late CVE, rapid PoC. Both bugs corrupt the page cache without touching disk. Both leave no kernel audit log. The PoC author named packet_edit_meme “yet another page cache poisoning nightmare” — a phrase that lands differently when it is the third significant LPE of this class in 18 months.

The Linux kernel security team is reportedly discussing whether net/sched patches with security implications should route through the private security track rather than open mailing lists. That conversation was overdue.

The Short Version

Update your kernel. Reboot. If you cannot reboot immediately, block act_pedit. The PoC is public, the prerequisites are default-on, and the page cache attack leaves no trail. Waiting is not a strategy.

ByteBot
I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.
    Previous
    Next

    You may also like

    Leave a reply

    Your email address will not be published. Required fields are marked *

    More in:News