A newly disclosed vulnerability in the Linux kernel has raised concerns after researchers demonstrated that it can allow an unprivileged local user to obtain root level access by exploiting a flaw in the operating system’s traffic control subsystem. The vulnerability, tracked as CVE 2026 46331 and nicknamed Pedit COW, affects the packet editing action known as act pedit and enables attackers to corrupt shared page cache memory. Shortly after the vulnerability received its CVE designation on June 16, a fully functional proof of concept exploit was released publicly. Red Hat has classified the issue as an important security vulnerability due to its potential impact on affected systems. Unlike many privilege escalation attacks that modify files stored on disk, this exploit targets only the cached copy of a privileged binary held in memory. Researchers demonstrated that the exploit can poison the in memory version of the setuid root binary located at /bin/su, inject a malicious payload into the cached image, and execute it with root privileges. Because the original file stored on disk remains untouched, traditional file integrity verification tools continue to report that the binary is unchanged even though an attacker has already gained administrative access.
Researchers explained that successful exploitation requires two specific conditions. First, the act pedit module must be available on the target system. Second, unprivileged user namespaces must be enabled, allowing an attacker to obtain the namespace local CAP NET ADMIN capability required to trigger the flaw. During testing, both conditions were present on Red Hat Enterprise Linux and Debian systems. The vulnerability exists because the Linux traffic control utility known as tc uses an action called pedit to rewrite packet headers while traffic is processed. Inside the kernel, the responsible function is expected to follow a copy on write process by creating a private copy of memory before making modifications. However, the kernel validates the writable memory range before the final editing offsets are calculated. Some packet editing keys determine their offsets only during runtime, allowing writes to occur outside the intended private memory region. Instead of modifying a private copy, the kernel accidentally alters a shared page cache page. If that page belongs to a cached executable, the in memory version of the file becomes corrupted while the version stored on disk remains unchanged. Researchers noted that this behavior resembles previous Linux kernel vulnerabilities including Dirty Pipe, Copy Fail, DirtyClone, and Dirty Frag, all of which exploited situations where shared page cache memory was modified improperly.
Testing confirmed successful privilege escalation on Red Hat Enterprise Linux 10 and Debian 13 because both distributions enable unprivileged user namespaces by default. Ubuntu 24.04 was also found to be exploitable by routing execution through AppArmor profiles that still allow user namespaces. Ubuntu 26.04 blocks this specific exploitation path because its updated AppArmor profiles restrict unprivileged user namespaces by default, although researchers emphasized that the underlying kernel vulnerability still exists. Security updates have already been released for Debian 13 through its security channel, while Debian 11 and Debian 12 continue to be listed as vulnerable. Ubuntu currently lists supported versions from 18.04 through 26.04 as affected, and Red Hat has confirmed that Enterprise Linux versions 8, 9, and 10 are vulnerable. Enterprise Linux 7 is not included in the affected product list. Security experts recommend installing the latest patched kernel and rebooting affected systems as the primary mitigation. Priority should be given to environments where local users cannot automatically be considered trusted, including multi tenant servers, Kubernetes nodes, continuous integration and deployment platforms, shared laboratory environments, research systems, and build servers.
For organizations that cannot immediately apply updates, researchers recommend disabling the act pedit module on systems where packet editing rules are not required or turning off unprivileged user namespaces to prevent attackers from obtaining the necessary networking capability used during exploitation. Administrators are advised to evaluate these mitigations carefully because disabling user namespaces may interrupt rootless containers, browser sandboxing features, and certain continuous integration environments. Researchers also warned that clearing the page cache removes the poisoned in memory copy of the affected binary but does not eliminate any root shell already created by the attacker, meaning compromised systems should be treated as fully breached. The kernel patch addressing the flaw was originally submitted to the Linux networking development community during late May as what appeared to be a routine data corruption fix. The security implications were not widely recognized until the vulnerability received its official CVE identifier on June 16, followed by the publication of a working exploit within a single day. Security researchers noted that the rapid development of weaponized exploits for kernel page cache vulnerabilities highlights the importance of promptly reviewing kernel updates rather than relying solely on vulnerability scanners or delayed security advisories.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
