A significant security flaw has been identified in the Linux kernel’s traffic-control subsystem, potentially allowing local, unauthorized users to gain root access on vulnerable systems. This flaw, designated CVE-2026-46331 and dubbed ‘pedit COW’, involves an out-of-bounds write in the packet-editing action known as act_pedit, leading to corruption of shared page-cache memory. The vulnerability was publicly disclosed on June 16, 2026, and a working exploit quickly followed.
Understanding the Exploit
The exploit targets the in-memory cached copy of a setuid root binary, bypassing file-integrity checks by injecting a payload that runs with root privileges. It requires two specific conditions: the act_pedit module must be loadable, and unprivileged user namespaces must be enabled, providing the attacker the necessary CAP_NET_ADMIN capability.
On systems like RHEL and Debian, these conditions are typically met, allowing the exploit to function as intended. The vulnerability stems from the Linux tc traffic-control tool, which modifies packet headers using the pedit action. The flaw arises when the kernel inadvertently writes to a shared page-cache page instead of a private copy, due to incorrect range checks.
Systems at Risk
Unprivileged-to-root exploitation has been reported on RHEL 10 and Debian 13 (trixie), with the latter’s default settings allowing such attacks. Although Ubuntu 24.04 still permits user namespaces, Ubuntu 26.04 blocks them by default, reducing the risk but not eliminating the underlying vulnerability.
Vendors have begun addressing this issue. Debian has patched the vulnerability in version 13, while versions 11 and 12 remain susceptible. Ubuntu’s releases from 18.04 to 26.04 are also vulnerable as of June 25, 2026. Red Hat acknowledges the flaw in RHEL 8, 9, and 10, though RHEL 7 is unaffected.
Mitigation and Future Steps
System administrators are advised to install the latest patched kernel and reboot affected systems, especially those with multiple users or exposed to potential threats. For immediate mitigation, disabling the act_pedit module can prevent exploitation, though it may affect system functionality. Alternatively, disabling unprivileged user namespaces can help, albeit at the cost of breaking some applications.
Given the nature of the exploit, which targets cached memory, regular file-integrity checks might not detect it. Administrators should clear the page cache to remove any poisoned in-memory copies, although this does not resolve an already opened root shell. The fix for this vulnerability was publicly discussed in May, but the critical nature only became clear after the CVE assignment in June.
As this vulnerability highlights the need for rapid response and proactive security measures, organizations should remain vigilant and responsive to emerging threats to minimize potential impacts of similar exploits in the future.
