- A new Linux kernel vulnerability, CVE-2026-46331, allows local, unprivileged users to gain full root access on affected systems.
- The flaw is in the packet-editing action (act_pedit) of the kernel’s traffic-control subsystem and has been nicknamed “pedit COW”.
- A working, public exploit appeared within a day of the CVE assignment on June 16, 2026.
- Systems are vulnerable if two conditions are met: the act_pedit module is loadable and unprivileged user namespaces are enabled.
- Patches are available from vendors, but temporary mitigation involves disabling the module or unprivileged user namespaces.
A critical vulnerability discovered in the Linux kernel’s traffic-control subsystem in June 2026 enables a local attacker to gain root privileges, according to a report by Swati Khandelwal. Designated CVE-2026-46331, this flaw corrupts shared page-cache memory via an out-of-bounds write in the packet-editing function.
Consequently, a public exploit can poison the cached copy of a setuid binary like `/bin/su` in memory. This process injects a payload and runs the altered image with root access without touching the disk.
The exploit requires two specific conditions to be present on a target system. First, the `act_pedit` kernel module must be loadable, and second, unprivileged user namespaces must be open to grant the necessary `CAP_NET_ADMIN` capability.
Meanwhile, tested systems like RHEL and Debian met both conditions by default. Ubuntu presented more varied scenarios, with Ubuntu 26.04 blocking a key path via its default AppArmor profiles.
Vendors have issued split advisories regarding patches for affected systems. For instance, Debian has fixed its trixie release, while Ubuntu lists many supported versions as still vulnerable.
System administrators are urged to install the patched kernel and reboot immediately. This is especially critical for multi-tenant hosts, CI/CD runners, and shared lab machines where local users may not be trusted.
If patching is not immediately possible, two mitigations can disrupt the exploit chain. One method is to block the `act_pedit` module from loading entirely within the system configuration.
The alternative is to disable unprivileged user namespaces via kernel parameters, though this may break functionality for rootless containers and sandboxed applications. A fix was posted to the netdev mailing list in late May as a routine patch before its security implications were widely understood.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
