Linux kernel 'pedit COW' LPE — tc act_pedit out-of-bounds write poisons setuid-binary page cache; public PoC

cve · CVE-2026-46331

Coverage timeline

first 2026-06-27 → last 2026-06-27

Briefs

1 distinct

Sources cited

145

68 hosts

Sections touched

trending_vulns

Co-occurring entities

see Related entities below

Story timeline

2026-06-27CTI Daily Brief — 2026-06-27
trending_vulnsFirst coverage. Red Hat RHSB-2026-008: tcf_pedit_act() computes COW range before key loop; typed-key offsets write OOB into page cache. packet_edit_meme PoC public within 1 day of 2026-06-16 assignment. RHEL 8/9/10, RHCOS, RHOSP affected; exposed since v5.18, fixed v7.1-rc7. § 2.

Where this entity is cited

trending_vulns1

Source distribution

attack.mitre.org20 (14%)
thehackernews.com19 (13%)
bleepingcomputer.com9 (6%)
access.redhat.com4 (3%)
microsoft.com4 (3%)
cisa.gov3 (2%)
helpnetsecurity.com3 (2%)
isc.sans.edu3 (2%)
other80 (55%)

Related entities

SANS ISC: Linux process-name masquerading via prctl(PR_SET_NAME) and detection
campaignresearch:linux-prctl-process-masquerading×1

External references

NVD · cve.org · CISA KEV

All cited sources (145)

Items in briefs about Linux kernel 'pedit COW' LPE — tc act_pedit out-of-bounds write poisons setuid-binary page cache; public PoC (1)

CVE-2026-46331 — Linux kernel "pedit COW": out-of-bounds write in the tc act_pedit module (public weaponised PoC)

From CTI Daily Brief — 2026-06-27 · published 2026-06-27 · view item permalink →

A separate page-cache-corruption LPE, pedit COW, drew a public weaponised PoC (packet_edit_meme) within a day of CVE assignment on 2026-06-16 (Red Hat Product Security, 2026-06-19). The bug is a missing bounds check in tcf_pedit_act() in net/sched/act_pedit.c: the function computes the copy-on-write range once before iterating the key list, so writes from later typed keys (whose runtime header offsets are not accounted for) fall outside the private copy and into read-only file-backed page-cache memory — a partial COW. An unprivileged user with tc rule-write access (again, obtainable through user namespaces) overwrites the cached /bin/su to spawn a root shell (The Hacker News, 2026-06-26). Red Hat confirms RHEL 8/9/10, RHCOS (OpenShift) and RHOSP affected; the flaw is exposed since kernel v5.18 and fixed upstream in v7.1-rc7. Interim mitigation where tc pedit is unused: blacklist the act_pedit module, or set kernel.unprivileged_userns_clone=0.