Bright Nexus

Published on June 27, 2026

Critical Linux Kernel Flaw Allows Unprivileged Users to Gain Full Root Access

Severity

High

Detail

A newly disclosed Linux kernel vulnerability, tracked as CVE-2026-46331 and nicknamed “Pedit COW,” allows an unprivileged local user to escalate privileges and obtain full root access on affected Linux systems. The vulnerability affects the Linux kernel’s traffic-control subsystem, specifically the tcf_pedit_act() function within the act_pedit module. It impacts Linux kernel versions 5.18 through 7.1-rc7 and has been confirmed on multiple distributions, including RHEL 8, 9, and 10, Debian 11, 12, and 13, and Ubuntu 18.04 through 26.04. The risk increased significantly after a working proof-of-concept (PoC) exploit, packet_edit_meme, was publicly released on GitHub within 24 hours of the CVE being assigned, making exploitation considerably easier for attackers.

How?

The vulnerability is caused by an improper implementation of the Linux kernel’s Copy-on-Write (COW) mechanism inside the tcf_pedit_act() function. The kernel validates the writable memory range before runtime offsets are fully calculated, allowing write operations to extend beyond the intended private memory page. Attackers can exploit this flaw by creating an unprivileged user namespace to obtain namespace-local CAP_NET_ADMIN privileges, enabling them to configure traffic-control actions without requiring administrative access.

The exploit abuses the Copy-on-Write flaw to overwrite the in-memory page cache of privileged executables such as /bin/su with malicious shellcode. When the modified binary is executed, the injected code performs setgid(0), setuid(0), and execve(“/bin/sh”), resulting in a root shell.

Because the attack modifies only the cached in-memory executable and leaves the on-disk binary unchanged, traditional file integrity monitoring solutions are unable to detect the compromise.

Recommendation

Organizations should implement the following measures to mitigate the risk of CVE-2026-46331:

  • Apply the latest Linux kernel security updates provided by your operating system vendor and reboot affected systems immediately, as patching is the only complete remediation.
  • Prioritize patching multi-user systems, Kubernetes worker nodes, CI/CD runners, shared development environments, and other systems where local users can execute code.
  • Disable the act_pedit kernel module if it is not required to prevent exploitation of the vulnerable traffic-control functionality.
  • Disable unprivileged user namespaces (user.max_user_namespaces=0 on RHEL or kernel.unprivileged_userns_clone=0 on Debian and Ubuntu) where operationally feasible, understanding that this may impact rootless containers and browser sandboxing.
  • Monitor for suspicious use of traffic-control (tc) commands, unexpected namespace creation, and privilege escalation activity.
  • Treat any system suspected of exploitation as fully compromised, since the attack operates entirely in memory and may evade traditional file integrity monitoring and forensic tools.

Source

https://gbhackers.com/critical-linux-kernel-flaw-2/