A newly disclosed Linux kernel vulnerability, CVE-2026-46331, also known as “pedit COW,” allows local, unprivileged users to escalate their privileges and gain root access on affected systems.
The flaw affects the Linux kernel’s traffic-control (tc) subsystem and has already attracted significant attention after a fully functional proof-of-concept (PoC) exploit was released just one day after the CVE was assigned on June 16, 2026. Security researchers warn that systems with the required configurations are at immediate risk if left unpatched.
What Is CVE-2026-46331?
The vulnerability exists in the act_pedit packet-editing component of Linux’s traffic-control framework. Due to an out-of-bounds write, attackers can corrupt shared page-cache memory and eventually execute code with root privileges.
Unlike traditional file modification attacks, this exploit never alters the binary stored on disk. Instead, it targets the cached in-memory copy of a privileged executable such as /bin/su, injects malicious code into memory, and executes the modified image with root permissions.
Because the original file remains untouched, standard file integrity monitoring tools may report everything as normal while an attacker already has a root shell.
How the Exploit Works
Linux uses the tc (traffic control) utility to modify packet headers using an action known as pedit. The corresponding kernel function, tcf_pedit_act(), is designed to follow a copy-on-write mechanism by creating a private copy of data before making modifications.
However, researchers found that the kernel validates the writable memory range before certain packet-edit offsets are fully calculated. When these offsets are resolved later during execution, the kernel writes outside the intended private memory region and instead modifies shared page-cache memory.
If the affected memory page belongs to a cached executable, attackers can alter the program while it resides in memory, enabling privilege escalation without changing the actual file.
Similarities to Previous Linux Vulnerabilities
Security experts note that this bug follows a pattern seen in several previous Linux kernel vulnerabilities, including:
- Dirty Pipe
- Copy Fail
- DirtyClone
- Dirty Frag
Each of these vulnerabilities abuses kernel memory management to modify shared page-cache pages. However, pedit COW introduces a new attack path by leveraging Linux user namespaces.
Exploitation Requirements
To successfully exploit CVE-2026-46331, two conditions must be met:
- The act_pedit kernel module must be available or loadable.
- Unprivileged user namespaces must be enabled, allowing attackers to obtain namespace-local CAP_NET_ADMIN privileges needed to trigger the vulnerability.
Researchers confirmed successful exploitation on default installations of Red Hat Enterprise Linux (RHEL) 10 and Debian 13 (Trixie).
Affected Linux Distributions
Current vendor advisories indicate the following impact:
Red Hat
- RHEL 8 – Vulnerable
- RHEL 9 – Vulnerable
- RHEL 10 – Vulnerable
- RHEL 7 – Not listed as affected
Debian
- Debian 13 (Trixie) – Patched through security updates
- Debian 11 – Vulnerable
- Debian 12 – Vulnerable
Ubuntu
Supported Ubuntu releases from 18.04 LTS through 26.04 are currently listed as vulnerable.
Ubuntu 24.04 can still be exploited under certain AppArmor configurations that allow user namespaces, while Ubuntu 26.04 blocks the default exploitation path because its AppArmor profiles restrict unprivileged user namespaces, although the kernel vulnerability itself still exists.
How to Protect Your Systems
Administrators should install the latest vendor-supplied kernel updates and reboot affected systems as soon as possible.
Priority should be given to environments where untrusted local users have access, including:
- Multi-tenant servers
- Kubernetes worker nodes
- CI/CD runners
- Shared build servers
- Research and laboratory systems
Temporary Mitigation Options
If immediate patching is not possible, administrators can reduce risk by disabling the vulnerable act_pedit module.
First, verify whether the module is currently loaded:
lsmod | grep act_pedit
If it is not required, prevent it from loading:
echo 'install act_pedit /bin/true' | sudo tee /etc/modprobe.d/disable-act_pedit.conf
Another mitigation is disabling unprivileged user namespaces.
- RHEL
user.max_user_namespaces=0
- Debian/Ubuntu
kernel.unprivileged_userns_clone=0
Keep in mind that disabling user namespaces can impact rootless containers, sandboxed browsers, and certain CI/CD environments, so testing is recommended before deployment.
Why Detection Is Difficult
Since the exploit modifies only the cached in-memory version of an executable, traditional file integrity monitoring solutions may fail to detect the compromise.
Although clearing the page cache using:
echo 3 > /proc/sys/vm/drop_caches
removes the poisoned memory pages, it does not eliminate an attacker who has already obtained a root shell. Any successfully exploited system should therefore be treated as fully compromised and investigated accordingly.
Timeline
The kernel fix was initially submitted to the Linux netdev mailing list in late May as what appeared to be a routine data corruption fix.
At that time, no CVE identifier or public security advisory accompanied the patch. The vulnerability officially received CVE-2026-46331 after the fix was merged on June 16, 2026, and a weaponized proof-of-concept exploit became publicly available within 24 hours.
The rapid release of exploit code highlights the importance of applying kernel security updates promptly rather than waiting for vulnerability scanners to identify affected systems.
Final Thoughts
CVE-2026-46331 demonstrates once again how kernel page-cache corruption vulnerabilities can quickly evolve into practical privilege-escalation exploits. Organizations running Linux servers should prioritize kernel updates, review their use of unprivileged user namespaces, and disable unnecessary kernel modules to reduce exposure.
Given the availability of public exploit code, delaying patch deployment significantly increases the risk of compromise.
