CVE-2026-46331

Published Jun 16, 2026

Last updated 16 hours ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-46331, dubbed "pedit COW," is a local privilege escalation vulnerability found within the Linux kernel's traffic-control subsystem, specifically affecting the `act_pedit` packet-editing action. The flaw stems from a "partial Copy-on-Write (COW)" failure where the `tcf_pedit_act()` function incorrectly calculates the writable range. It computes this range before accounting for runtime header offsets introduced by typed keys, leading to an out-of-bounds write that corrupts shared page-cache memory. Exploitation of this vulnerability allows a local unprivileged user to gain root access on affected systems. Attackers can achieve this by poisoning the cached copy of a setuid root binary, such as `/bin/su`, in memory. They inject a malicious payload into this cached image, which then executes with root privileges when the binary is invoked, all while leaving the on-disk file integrity checks undisturbed. Successful exploitation typically requires `act_pedit` to be loadable and unprivileged user namespaces to be enabled, granting the necessary `CAP_NET_ADMIN` capability.

Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: fix pedit partial COW leading to page cache corruption tcf_pedit_act() computes the COW range for skb_ensure_writable() once before the key loop using tcfp_off_max_hint, but the hint does not account for the runtime header offset added by typed keys. This can leave part of the write region un-COW'd. Fix by moving skb_ensure_writable() inside the per-key loop where the actual write offset is known, and add overflow checking on the offset arithmetic. For negative offsets (e.g. Ethernet header edits at ingress), use skb_cow() to COW the headroom instead. Guard offset_valid() against INT_MIN, where negation is undefined.
Source
416baaa9-dc9f-4396-8d5f-8c081fb06d67
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.8
Impact score
5.9
Exploitability score
1.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-190
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
CWE-787

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

8

  1. Tails 7.9.1 is out: https://t.co/1TZmZC8BtT It fixes CVE-2026-43503 (*DirtyClone*) and CVE-2026-46331 (*PACKET_EDIT_MEME*).

    @Tails_live

    1 Jul 2026

    4331 Impressions

    22 Retweets

    84 Likes

    5 Bookmarks

    2 Replies

    1 Quote

  2. Thread — CVE-2026-46331 "pedit COW" 🔴 1. 🧵Imagine leaving your house, locking the door — but someone already swapped your key while you slept. No forced entry. No alarm. That's CVE-2026-46331. - A Linux flaw that gives attackers root access without breaking a single lo

    @Nu11Sector

    29 Jun 2026

    87 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  3. CISO Daily Briefing: Amazon Q Developer CVE-2026-12957 (CVSS 8.5) — MCP auto-execution, no user interaction required, Miasma worm across 73 GitHub repos; Linux LPEs CVE-2026-46331 + CVE-2026-43503 bypass file integrity monitoring entirely in memory. Fable 5/Mythos 5 suspended f

    @cloudsa

    28 Jun 2026

    428 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  4. Open-source defensive toolkit against #DirtyClone (CVE-2026-43503) and #peditCOW (CVE-2026-46331). While patching remains the ultimate solution, this toolkit helps you close the gap while you patch. https://t.co/2ETRhoK5oU

    @douglasmun

    28 Jun 2026

    234 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. 1/3 A new Linux kernel exploit nicknamed pedit COW lets a local unprivileged user gain root. CVE-2026-46331 is an out-of-bounds write in act_pedit that corrupts shared page-cache memory. A working exploit appeared within a day. #CVE #Linux #PrivEsc #cybersecurity

    @CyberTLDR

    27 Jun 2026

    42 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  6. Linux kernel flaw CVE-2026-46331 allows local users to gain root access, Red Hat rates it as severe, can you trust your Linux systems to be secure after June 16? #LinuxSecurity #CVE #RootAccess Source: New Linux pedit COW Exploit Enables Root Access by Poisoning Cached Binaries

    @Soemailsecurity

    27 Jun 2026

    40 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  7. pedit COW (CVE-2026-46331) is a Linux kernel flaw that lets unprivileged users gain root via page cache corruption.Patch now or disable act_pedit. For More: https://t.co/BqDkEZ4lVS #peditCOW #CVE #LinuxKernel #PrivilegeEscalation #RootAccess #CyberSecurity #Linux #InfoSec #RHEL

    @redsecuretech

    27 Jun 2026

    43 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  8. CVE-2026-46331 CVE-2026-43503 アルマリナックス対応済み

    @hacker_infra

    26 Jun 2026

    206 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.