On June 16, 2026, CVE-2026-46331 was assigned to a vulnerability in the Linux kernel's traffic-control subsystem. Within 24 hours, a public, working exploit demonstrated root escalation by corrupting the in-memory copy of /bin/su, leaving no trace on disk. The fix had been posted in late May on the netdev mailing list as a routine anti-data-corruption patch, without a CVE or security advisory.
- CVE-2026-46331 is an out-of-bounds write in
act_peditthat exploits a flaw in the copy-on-write range calculation to write to the shared page cache instead of a private copy. - The exploit poisons the in-memory copy of setuid binaries such as
/bin/su: on-disk integrity checks come back clean while a root shell is already open. - The vulnerability requires loadable
act_peditand unprivileged user namespaces enabled, the default on RHEL 10 and Debian 13 (trixie). - The fix landed on the netdev mailing list in late May 2026 without a security classification, leaving the exploitable detail public for weeks.
How the pedit Engine Bug Works
The tcf_pedit_act() function in the Linux kernel's traffic-control subsystem calculates the copy-on-write (COW) range once, before the loop that processes individual packet-modification keys. This calculation uses tcfp_off_max_hint, an estimated maximum value that does not include the runtime header offset added by "typed" keys.
When the actual write offset exceeds the pre-calculated COW range, the kernel writes directly to the shared page cache instead of a private buffer copy. According to the CVE-2026-46331 record published by NVD, this leaves part of the write region "un-COW'd" — modifiable on pages shared across multiple processes.
The fix, as documented in the NVD record, moves skb_ensure_writable() inside the per-key loop where the actual offset is known, adding an overflow check. Before this change, the pre-calculation made the bug deterministic and reproducible for an attacker controlling tc rule parameters.
From Silent Patch to Exploit in 24 Hours
The timeline reveals a critical gap in kernel security coordination. In late May 2026, the fix was submitted to the netdev mailing list with a description that masked its exploitable nature: "routine data-corruption patch." The technical detail — a runtime offset exceeding the COW range — remained public for weeks without a CVE or advisory.
"The fix landed on the netdev mailing list in late May, framed as a routine data-corruption patch. The exploitable detail sat on a public mailing list for weeks. No CVE, no security warning." — The Hacker News
CVE assignment occurred on June 16, 2026, with the fix merged the same day. Within 24 hours, a public exploit demonstrated practical weaponization. This speed of conversion from silent patch to working exploit raises questions about the coordination process between kernel maintenance and security response.
The Attack Vector: User Namespaces and CAP_NET_ADMIN
The exploit requires the attacker to configure tc pedit rules, an operation that needs the CAP_NET_ADMIN capability. On systems with unprivileged user namespaces enabled — the default on RHEL 10 and Debian 13 (trixie) — a local user obtains this capability inside their own namespace without actual root privileges.
According to the source, the exploit was successfully tested on RHEL 10 and Debian 13. Ubuntu 24.04 requires a detour through AppArmor profiles that still allow user namespaces; Ubuntu 26.04 blocks the path by default. Debian has patched the trixie release, while Debian 11 and 12 remain vulnerable. Ubuntu lists supported releases from 18.04 through 26.04 as vulnerable as of June 25. Red Hat lists RHEL 8, 9, and 10 as affected; RHEL 7 does not appear on the list.
"The exploit never touches the file on disk. It poisons the cached copy of a setuid root binary (/bin/su) in memory, injects a small payload, and runs that altered image as root. File-integrity checks come back clean while a root shell is already open." — The Hacker News
Why This Matters
The ability to gain root by corrupting binaries in memory without leaving a disk trace makes CVE-2026-46331 particularly insidious for traditional integrity controls: read-only filesystems, AIDE, Tripwire, or rpm/deb verification all report clean files. The attack operates entirely in the volatile memory domain.
The brief does not document specific vendor-indicated remediation measures. It is unclear whether the exploit has been observed in real-world attacks beyond the published proof-of-concept. The exact range of affected kernel versions is not enumerated in primary sources: NVD indicates the fix commit but not a complete range. CVSS has not yet been assigned by NVD; Red Hat classifies the vulnerability as "important" but does not specify a numerical value in available sources.
The source does not specify the full nature of data exposed beyond the in-memory corruption of /bin/su. It is not confirmed whether container escape is practically achievable with this specific vulnerability: the windowsnews.ai source discusses the risk as theoretical, not as demonstrated exploitation.
The COW Poisoning Pattern and Broader Context
The attack mechanism — page cache poisoning via COW failure — is not isolated. CVE-2026-31431, dubbed "Copy Fail" and documented by Microsoft and ExtraHop, exploits an analogous pattern in the crypto AF_ALG subsystem to gain root with the same core principle: writing to shared pages the kernel believes are private. The two vulnerabilities are distinct: pedit COW operates in the traffic-control subsystem, Copy Fail in the cryptographic subsystem.
This convergence of techniques suggests the COW poisoning pattern warrants systematic attention in kernel code review, not just individual bug fixes. However, this reading is editorial: the brief does not document generalized auditing initiatives.
FAQ
- Why didn't the fix receive a CVE immediately?
- According to the source, the patch was presented as a routine data-corruption fix, without the maintainer or submitter recognizing its security relevance. The CVE was assigned only on June 16, when a researcher highlighted the weaponizability.
- Do on-disk integrity checks detect the attack?
- No. The exploit modifies the cached copy of the binary in memory, not the file on disk. Every post-attack verification based on filesystem checksums comes back clean.
- Does blocking user namespaces prevent the attack?
- According to the source, yes: without unprivileged user namespaces, the attacker cannot obtain the
CAP_NET_ADMINneeded to configuretc peditrules. However, this measure breaks functionality such as rootless containers and browser sandboxes, creating a tension between security and operability that the brief does not resolve.
Sources
- https://thehackernews.com/2026/06/new-linux-pedit-cow-exploit-enables.html
- https://www.wiu.edu/cybersecuritycenter/cybernews.php
- https://windowsnews.ai/article/linux-kernel-patches-cve-2026-46331-netsched-pedit-bug-could-corrupt-page-cache.428355
- https://www.microsoft.com/en-us/security/blog/2026/05/01/cve-2026-31431-copy-fail-vulnerability-enables-linux-root-privilege-escalation/
- https://www.extrahop.com/blog/linux-kernel-local-privilege-escalation
- https://nvd.nist.gov/vuln/detail/CVE-2026-46331
- https://nvd.nist.gov/vuln/detail/CVE-2026-31431
- https://nvd.nist.gov/vuln/detail/CVE-2026-31431&sa=D&source=editors&ust=1777915091116933&usg=AOvVaw2mnx7UwEjXkUNxIM5K9s23
- https://cert.europa.eu/publications/security-advisories/2026-005/&sa=D&source=editors&ust=1777915091117714&usg=AOvVaw18xI3V9wdfADb-tICRQQK6
Information is based on cited sources and current as of publication.