A significant security vulnerability has emerged in the Linux kernel, involving a Copy-on-Write (COW) page-cache corruption flaw combined with the act_pedit component in the net/sched subsystem. This exploit is enabling local attackers, without privileged access, to escalate their permissions to root access across multiple major Linux distributions.
Exploit Details and Impact
Named packet_edit_meme, this exploit was confirmed in June 2026 and affects both enterprise and consumer Linux kernels. The underlying issue is traced back to a partial-COW page-cache corruption bug introduced in kernel commit 899ee91156e5. This bug is present in kernel versions from v5.18 to v7.1-rc6 and was addressed in version v7.1-rc7. The vulnerability resides within the net/sched act_pedit subsystem, which is part of the Linux traffic control framework, allowing for traffic editing.
The exploit operates by initiating a user namespace child process endowed with CAP_NET_ADMIN capabilities. This is possible on systems where unprivileged user namespaces are enabled by default. Subsequently, the exploit uses the COW corruption to alter the page-cached ELF entry point of the setuid-root binary /bin/su, inserting shellcode that results in a root shell for the attacker.
Affected Systems and Distributions
This vulnerability marks the fourth recent privilege escalation issue reported within Linux systems. Verified tests indicate successful exploitation across various distributions, including RHEL 10.06, Debian 13, and specific Ubuntu versions. Notably, RHEL and Debian are highly susceptible due to their default settings that permit unprivileged user namespaces. In contrast, Ubuntu enforces restrictions through sysctls, limiting unprivileged user namespace creation, thereby reducing vulnerability.
However, the exploit can bypass these constraints on Ubuntu 24.04.4 using permissive profiles via aa-exec, though this route is blocked in Ubuntu 26.04 due to tightened security measures.
Mitigation Strategies
Red Hat has issued a security bulletin (RHSB-2026-008), urging administrators to promptly apply the necessary kernel patches. It is recommended to restrict the creation of unprivileged user namespaces where feasible, using sysctl, and to vigilantly monitor for any unusual aa-exec invocations or namespace activity.
Organizations running affected kernel versions between v5.18 and v7.1-rc6 should prioritize patching to protect against potential exploitation.
In conclusion, this exploit highlights the critical need for ongoing vigilance and timely updates to maintain system security in the face of evolving threats.
