UnratedPublic exploit

pedit COW local privilege escalation in Linux kernel act_pedit

IdentifiersCVE-2026-46331CWE-787

CVE-2026-46331 is a local privilege escalation vulnerability in the Linux kernel traffic-control subsystem, specifically in net/sched act_pedit and the function tcf_pedit_act(). The bug arises from incorrect copy-on-write handling when editing packet data: tcf_pedit_act() computes the writable/COW range for skb_ensure_writable() once before iterating over edit keys, using tcfp_off_max_hint, but that hint does not include the runtime header offset added by typed keys. As a result, part of the eventual write region may remain outside the privately copied area. When a key's actual runtime-resolved offset extends beyond the precomputed writable range, the kernel can perform an out-of-bounds write into shared page-cache-backed memory, causing page cache corruption. The upstream fix moves skb_ensure_writable() into the per-key loop so the actual write offset is known for each edit, adds overflow checks on offset arithmetic, uses skb_cow() for negative offsets that target headroom, and hardens offset_valid() against INT_MIN negation. Public reporting describes this issue as 'pedit COW' and notes that it was introduced by commit 899ee91156e5, present from Linux kernel 5.18 and fixed upstream in 7.1-rc7.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can allow a local unprivileged attacker to corrupt shared page-cache memory and achieve root privilege escalation. Public exploit reporting states that an attacker can poison the cached in-memory image of a setuid-root binary such as /bin/su without modifying the file on disk, then execute the corrupted cached image to obtain a root shell. Because the disk file is unchanged, file-integrity monitoring may not detect the compromise. In addition to privilege escalation, the underlying memory corruption can affect kernel and system integrity and may also cause instability or denial of service depending on the target and corruption outcome.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exploitability by preventing use of the vulnerable act_pedit functionality and by disabling or restricting unprivileged user namespaces. The content specifically notes exploitation requires act_pedit to be loadable and unprivileged user namespaces to be enabled so an attacker can obtain namespace-local CAP_NET_ADMIN. Operationally, block or unload the act_pedit module where feasible, restrict access to traffic-control features, and disable unprivileged user namespace creation if compatible with system requirements. Because exploitation may poison only the page cache and leave on-disk binaries unchanged, any system suspected of exploitation should be treated as compromised and investigated accordingly.

Remediation

Patch, then assume compromise.

Upgrade to a Linux kernel release containing the upstream fix for CVE-2026-46331. The fix changes act_pedit/tcf_pedit_act() to extend the writable skb range per key, performs overflow checking on offset arithmetic, uses skb_cow() for negative offsets affecting headroom, and guards offset_valid() against INT_MIN. The provided content states the issue is present from 5.18 and fixed upstream in 7.1-rc7. Distribution-specific remediation includes installing vendor kernel updates; for Debian trixie, the cited advisory indicates upgrading the linux package to 6.12.94-1 or later fixed version. A reboot into the patched kernel is required after installation.

PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app

packet_edit_memeMaturityPoCVerified exploit

Repository contains a standalone local Linux privilege-escalation exploit for CVE-2026-46331 plus a reusable primitive and a verification harness. Structure: (1) pedit_primitive.c/.h implement the core page-cache overwrite primitive by configuring tc/netlink state on the loopback interface and abusing net/sched act_pedit to write beyond a stale COW range into page-cache-backed data sent via sendfile; setup() prepares loopback networking, opens a local TCP listener on 127.0.0.1:4445, and calibrates the file-offset delta using /tmp/.pedit_calib. api_fd_write() exposes the primitive as bounded 4-byte-slot writes to an arbitrary file descriptor, including O_RDONLY descriptors. (2) test_cve.c is a non-privilege-escalation testcase that creates /tmp/cve_target, reopens it read-only, performs 10 overwrite attempts at varying offsets/sizes, and verifies that the page cache changed despite only holding an O_RDONLY fd. (3) packet_edit_meme.c weaponizes the primitive into unprivileged local root: it locates a setuid-root su binary, parses ELF headers to find the executable entry-point file offset, forks a child that unshares user and network namespaces, maps itself to uid/gid 0 inside the namespace, calls setup(), and writes x86_64 shellcode over the cached su entry point. The parent then execves su from the initial namespace, causing the setuid-root binary to execute the injected shellcode and spawn an interactive root /bin/sh. Ubuntu-specific logic optionally re-execs through aa-exec with profiles trinity/chrome/flatpak to bypass AppArmor userns restrictions. Overall, this is a real exploit repository, not just a detector: it provides both a generic arbitrary page-cache overwrite primitive and an operational local root exploit payload.

sgkdevDisclosed Jun 17, 2026cmakefilelocal

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

LinuxLinux Kerneloperating_system

Rocky LinuxKerneloperating_system

Rocky LinuxKernel-Rtoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

22 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

22 SOURCESView more in app

the hacker newsNews

Jun 26, 2026

New Linux pedit COW Exploit Enables Root Access by Poisoning Cached Binaries

A local privilege escalation vulnerability in the Linux kernel traffic-control subsystem's act_pedit functionality. It is an out-of-bounds write that can corrupt shared page-cache memory, allowing an unprivileged local user to gain root by poisoning the cached in-memory image of a setuid binary.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity17

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-46331

NVD

nvd.nist.gov/vuln/detail/CVE-2026-46331

MITRE CWE · CWE-787

cwe.mitre.org

git.kernel.org

git.kernel.org/stable/c/899ee91156e57784090c5565e4f31bd7dbffbc5a