A Linux kernel vulnerability, tracked as CVE-2026-46331 and nicknamed “Pedit COW,” has raised serious concerns among cybersecurity professionals. The flaw allows a local, unprivileged user to gain root-level access on vulnerable Linux systems by exploiting a weakness in the kernel’s traffic-control subsystem.
What makes this vulnerability particularly dangerous is that attackers can achieve full system compromise without modifying the actual files stored on disk. Instead, the exploit targets the system’s memory cache, making traditional file-integrity checks ineffective.
CVE-2026-46331 is an out-of-bounds write vulnerability found in the Linux kernel’s packet-editing action, known as act_pedit. The flaw exists within the traffic-control (tc) subsystem, which is used for managing and modifying network traffic.
Security researchers discovered that under specific conditions, the vulnerability allows an attacker to overwrite data in shared page-cache memory. This memory corruption can then be used to alter the in-memory version of privileged system binaries such as /bin/su, ultimately enabling an attacker to launch a root shell.
A public proof-of-concept (PoC) exploit was released within a day of the CVE being assigned on June 16, significantly increasing the risk for unpatched systems. Due to the severity of the issue, Red Hat has classified the vulnerability as Important.
The Linux traffic-control utility includes a feature called pedit, which allows administrators to modify packet headers as network traffic passes through the system.
The vulnerability originates in a kernel function called tcf_pedit_act(). Under normal circumstances, the function should create a private copy of data before making any modifications. This process follows the standard copy-on-write (COW) mechanism, which prevents changes from affecting shared memory.
However, researchers found that the function validates writable memory ranges before the final packet offsets are fully determined. Some packet-editing keys calculate their offsets only during runtime. As a result, writes can occur outside the intended memory region.
Instead of modifying a private copy, the kernel ends up altering a shared page-cache page. If that page belongs to a cached executable file, the file’s in-memory image becomes corrupted.
Attackers can exploit this behavior to inject malicious code into the cached version of a privileged executable. When the altered executable is launched, it runs with root privileges, giving the attacker complete control over the system.
The attack pattern seen in Pedit COW resembles several high-profile Linux kernel vulnerabilities discovered in recent years.
These include:
- Dirty Pipe
- Copy Fail
- DirtyClone
- Dirty Frag
All of these vulnerabilities share a common characteristic: a kernel operation writes data into memory pages that are not exclusively owned by the process performing the write.
The major difference with Pedit COW is its entry point. By using user namespaces, an unprivileged user can obtain the namespace-local CAP_NET_ADMIN capability required to trigger the vulnerable functionality.
Researchers successfully demonstrated the exploit on multiple Linux distributions.
The proof-of-concept exploit successfully achieved privilege escalation on RHEL 10. Red Hat has also identified RHEL 8 and RHEL 9 as affected versions.
Testing confirmed successful exploitation on Debian 13 (Trixie). Debian has already released fixes for Trixie through its security update channel. However, Debian 11 and Debian 12 remain listed as vulnerable.
Ubuntu systems are also affected by the underlying kernel flaw.
Researchers reported that Ubuntu 24.04 could be exploited through AppArmor configurations that still allow unprivileged user namespaces.
While Ubuntu 26.04 restricts this attack path by default through tighter AppArmor policies, the vulnerable kernel code still exists, meaning systems should still be patched.
As of June 25, Ubuntu lists supported releases from 18.04 through 26.04 as vulnerable.
The attack requires two key conditions:
- The act_pedit module must be available and loadable.
- Unprivileged user namespaces must be enabled.
When both conditions are present, attackers can gain the namespace-local CAP_NET_ADMIN privilege necessary to trigger the vulnerability.
Many Linux distributions enable these features by default, making exploitation possible without administrative permissions.
Security teams should prioritize installing vendor-provided kernel updates and rebooting affected systems as soon as possible.
Particular attention should be given to environments where local users cannot automatically be trusted, including:
- Multi-tenant servers
- Kubernetes nodes
- CI/CD runners
- Build servers
- Shared development environments
- Academic and research systems
Organizations that do not require pedit functionality can prevent the module from loading.
First, verify whether the module is currently in use:
lsmod | grep act_peditIf it is not required, disable it using:
echo 'install act_pedit /bin/true' | sudo tee /etc/modprobe.d/disable-act_pedit.confAnother mitigation option is disabling unprivileged user namespaces.
For RHEL:
user.max_user_namespaces=0For Debian and Ubuntu:
kernel.unprivileged_userns_clone=0Administrators should test this change carefully because it can affect:
- Rootless containers
- CI/CD environments
- Sandboxed browsers
- Developer tools
One of the most concerning aspects of Pedit COW is its ability to evade traditional security monitoring.
The exploit modifies only the cached in-memory version of a file while leaving the actual file stored on disk unchanged. As a result, file-integrity monitoring tools may report that system files remain untouched even while an attacker already has root access.
Although administrators can clear poisoned cache pages using:
echo 3 > /proc/sys/vm/drop_cachesthis action only removes the modified cached copy. It does not eliminate any malicious processes or root shells that may already be running.
For this reason, any system suspected of exploitation should be treated as fully compromised and investigated accordingly.
The Pedit COW vulnerability highlights how seemingly routine kernel bugs can quickly become critical security threats. The fix was originally discussed publicly as a data-corruption issue before the security implications became widely recognized. Once the patch was merged and a CVE assigned, a working exploit appeared almost immediately.
With publicly available exploit code and confirmed privilege-escalation capabilities, organizations running Linux servers should apply security updates without delay. Security teams should also review configurations that allow unprivileged user namespaces and assess whether temporary mitigations are necessary until patches can be fully deployed.
As history has shown with vulnerabilities such as Dirty Pipe, page-cache corruption flaws can rapidly become favorite tools for attackers seeking full system compromise. Prompt patching remains the most effective defense against the latest Linux privilege-escalation threat.
Interesting Article : Massive FortiBleed Campaign Targets Fortinet Firewalls Across 194 Countries