Linux pedit COW CVE-2026-46331 local privilege escalation

Summary

CVE-2026-46331, nicknamed pedit COW in public reporting, is a Linux kernel local privilege-escalation flaw in the traffic-control packet-editing action (act_pedit). Red Hat describes it as a missing bounds check that permits an out-of-bounds write and page-cache memory corruption; a local user can exploit the flaw to gain root on affected systems when the vulnerable module and namespace/networking preconditions are reachable.

The issue is closely related in defender impact to the DirtyFrag / DirtyClone class: the exploit primitive corrupts cached memory rather than cleanly modifying files on disk, so file-integrity checks may miss a successful root transition. Public reporting says a working exploit appeared shortly after CVE assignment in mid-June 2026.

Tags

• ops
• operations
• vulnerability
• exploitation
• Linux
• Linux kernel
• traffic control
• tc
• pedit
• act_pedit
• CVE-2026-46331
• local privilege escalation
• page cache
• Copy-on-Write
• COW
• user namespaces
• CAP_NET_ADMIN
• container escape
• Red Hat
• Ubuntu
• Debian

Why this matters

• This is a post-compromise root path for shared Linux hosts, developer workstations, CI runners, Kubernetes/container hosts, and multi-user research/HPC systems.
• Exploitation can poison cached copies of privileged binaries in memory, so a clean file hash on disk does not rule out compromise.
• The preconditions overlap common container and sandbox configurations: unprivileged user namespaces can let an unprivileged local user obtain namespace-local CAP_NET_ADMIN, which is enough to exercise traffic-control code paths.
• Red Hat lists RHEL 8, 9, 10, RHEL for NVIDIA, and downstream products using the RHEL kernel as affected; Ubuntu marked multiple maintained linux releases vulnerable as of its June 25 CVE page update.

Public vulnerability detail

• CVE: CVE-2026-46331.
• Kernel subsystem: net/sched traffic control, specifically act_pedit / tcf_pedit_act().
• Bug class: partial Copy-on-Write / bounds-check failure leading to page-cache corruption.
• Impact: local privilege escalation to root.
• Red Hat severity: Important.
• Ubuntu priority: Medium as of June 25, 2026.
• Patch detail from Ubuntu: introduced by kernel commit 8b79647; fixed by 899ee91 / mainline commit 899ee91156e57784090c5565e4f31bd7dbffbc5a in the 7.1-rc7 line.
• Mitigation from Red Hat: blacklist the act_pedit module if traffic-control pedit rules are not required.

Attack shape

1. Attacker obtains local code execution as a low-privileged user or workload.
2. The system permits a path to traffic-control operations, commonly through unprivileged user namespaces that provide namespace-local CAP_NET_ADMIN.
3. The attacker triggers the act_pedit out-of-bounds write to corrupt shared page-cache memory.
4. Public exploit reporting describes poisoning the cached copy of a setuid-root binary such as /bin/su, then executing the altered in-memory image to gain root.
5. On-disk file checks remain clean because the exploit targets cached memory, not a normal file write.

Defender heuristics

1. Patch and reboot affected kernels, prioritizing container hosts, CI runners, developer workstations, jump hosts, shared research systems, and any host that runs untrusted local workloads.
2. Confirm the running kernel includes the distribution backport for CVE-2026-46331; do not rely only on installed package inventory.
3. If patching is delayed and business impact permits, block act_pedit autoloading. Red Hat suggests echo "blacklist act_pedit" > /etc/modprobe.d/blacklist-act-pedit.conf, after verifying tc pedit rules are not required.
4. Evaluate temporary restriction of unprivileged user namespaces (kernel.unprivileged_userns_clone=0 on Debian/Ubuntu-family systems, user.max_user_namespaces=0 on RHEL-family systems) where compatible with rootless containers, browser sandboxes, and CI workloads.
5. Hunt for unexpected tc, ip netns, unshare, namespace creation, act_pedit module loads, and local-root transitions from CI, web, notebook, container, or developer accounts.
6. Treat a suspected exploit as host-root compromise even if /bin/su or other setuid files hash clean. Preserve volatile process, module, namespace, audit, and container-runtime evidence before rebooting where incident response requirements allow.
7. Rotate secrets exposed to workloads on affected hosts after containment, especially CI tokens, cloud credentials, Kubernetes service-account tokens, and SSH material.

Related pages

• Linux DirtyClone CVE-2026-43503 local privilege escalation
• Linux nftables CVE-2026-23111 public LPE exploits
• Linux Kernel CVE-2022-0492 cgroup release_agent exploitation

Sources

• Red Hat security bulletin RHSB-2026-008: https://access.redhat.com/security/vulnerabilities/RHSB-2026-008
• Ubuntu CVE page: https://ubuntu.com/security/CVE-2026-46331
• Debian security tracker: https://security-tracker.debian.org/tracker/CVE-2026-46331
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-46331
• The Hacker News: https://thehackernews.com/2026/06/new-linux-pedit-cow-exploit-enables.html