A Linux kernel local privilege-escalation flaw nicknamed pedit COW, tracked as CVE-2026-46331, can let a local user gain root on affected systems by abusing page-cache corruption in the kernel's traffic-control subsystem. Red Hat rates the flaw Important and says a missing bounds check in act_pedit can allow an out-of-bounds write that corrupts page-cache memory. Ubuntu rates the issue High. A public proof-of-concept attributed to researcher Massimiliano Oldani was published on 17 June 2026, and vendor fixes or mitigation guidance are now available across several Linux ecosystems.

What the flaw is

The vulnerable code is act_pedit, the packet-editing action in the kernel's traffic-control (tc) subsystem under net/sched, used to rewrite header bytes on network packets. The kernel function tcf_pedit_act() is meant to make a private copy of the data before editing it — the standard copy-on-write (COW) pattern that keeps a change from affecting shared memory. The defect, as the upstream fix describes it, is that the writable range is validated too early, before the final write location is known for every edit; the result is a partial COW in which part of the write is never made private and reaches a shared page-cache page that the kernel believed it had safely privatised.

The consequence is the dangerous part. If the corrupted page backs a cached executable, the in-memory image of that file is altered — and the documented impact is the poisoning of the cached copy of a setuid-root binary such as /bin/su, so that running it yields a root shell. Crucially, the exploit never modifies the file on disk. It changes only the in-memory page cache, which means file-integrity monitoring tools will report the binary as unchanged while a root shell is already open. This advisory describes the nature and impact of the flaw and how to defend against it; the operational exploit technique and proof-of-concept are deliberately not reproduced here.

The N-day problem: public before it was a CVE

The way this surfaced is as instructive as the bug itself. The upstream fix was developed in the open on the kernel networking (netdev) mailing list as a routine data-corruption fix, with no CVE and no security framing. The CVE was assigned later, at merge time on 16 June 2026, and a public proof-of-concept — attributed to researcher Massimiliano Oldani — followed the next day, 17 June. For defenders, that ordering is the problem: the exploitable technical detail was visible on a public list before most teams had a CVE identifier, a scanner signature, a vendor advisory or a patch process attached to it. This is an N-day, not a same-day surprise, but the window in which it was effectively undocumented is exactly the window attackers value.

Who is affected, and the conditions

Exploitation has two prerequisites: the act_pedit module must be loadable, and unprivileged user namespaces must be available — the latter is how an ordinary user obtains the namespace-local CAP_NET_ADMIN capability needed to configure the action without real privilege, where unprivileged user namespaces are enabled.

At the distribution level, Red Hat lists RHEL 8, 9 and 10 as directly affected, with OpenShift Container Platform rated Low because the vulnerable module is not loaded by default. Ubuntu rates the issue High and tracks per-release status across supported and extended-support streams. Debian-related reporting indicates fixes for the trixie/testing streams, but administrators should confirm exact exposure and fixed package versions through their own distribution security tracker rather than relying on a single upstream kernel number. Public CVSS scoring is incomplete — the NVD had not published a score when checked — so the Red Hat Important and Ubuntu High ratings are the ones to act on.

How to fix it, and the mitigation trade-offs

The durable fix is to deploy a vendor-patched kernel and reboot into it. The NVD/kernel.org CVE record references the upstream/stable fix for the act_pedit partial-COW issue, while downstream status varies by distribution and release stream. Treat the vendor tracker for your actual kernel package — Red Hat, Ubuntu, Debian, AlmaLinux, CloudLinux or another downstream — as the operational source of truth, and remember the update requires a reboot to take effect.

Where an immediate reboot is not possible, there are two temporary mitigations, each with a cost:

  • Block the act_pedit module from loading if your systems do not use tc pedit rules. This removes the vulnerable code path, but will break legitimate traffic-control packet editing where it is in use.

  • Restrict unprivileged user namespaces. This closes the capability path the exploit relies on, but can break rootless containers and application sandboxing that depend on user namespaces.

Both are temporary controls with real operational risk: they should be tested against your workloads, documented, and removed after patching. Rebootless live-patching (for example via KernelCare) was still in testing as fixes rolled out, so it should not be relied on as the primary control. On detection: because the corruption lives only in memory, file-based integrity checks will not catch it — monitoring is better spent on runtime telemetry, unexpected kernel instability, and anomalous use of unprivileged user namespaces.

Why it matters beyond a single host

A local privilege escalation is a second-stage tool, not an internet-scannable break-in, and that scoping matters: an attacker needs an existing local foothold first — a shell account, a compromised service process, a malicious CI job, or a container workload. But that is precisely the profile of modern shared infrastructure. On multi-tenant hosting, CI/CD systems, Kubernetes clusters and shared cloud environments — common in regional hosting, CI/CD and shared infrastructure environments — a low-privileged foothold is common, and a reliable local-to-root path turns it into full host compromise. It is worth restating that a kernel bug is shared by every container on the same host: container boundaries are not a defence against this class of flaw. For regional operators running fleets of enterprise Linux servers, the exposure and the action are the same as everywhere else.

Key Takeaways

  • CVE-2026-46331 (pedit COW) is a Linux kernel local privilege-escalation flaw in the traffic-control act_pedit action: a missing bounds check causes an out-of-bounds write that corrupts page-cache memory, letting a local user gain root.

  • The exploit poisons the in-memory copy of a setuid binary and never touches disk, so file-integrity monitoring will not detect it; a public proof-of-concept has existed since 17 June 2026.

  • Red Hat rates it Important and Ubuntu High, while the NVD had not assigned a CVSS score; affected distributions include RHEL 8/9/10 with Debian and Ubuntu streams tracking their own status — check your distribution's security tracker for exact exposure.

  • Patch to a vendor-fixed kernel and reboot; until then, block the act_pedit module or restrict unprivileged user namespaces, accepting that each is a temporary control that can break legitimate functionality (traffic shaping, rootless containers).