Pedit COW: Traffic Control Bug Lets Anyone Root Linux Boxes

A public exploit for CVE-2026-46331 dropped within 24 hours of its CVE assignment, giving attackers a turnkey path to root on most Linux distributions. The vulnerability, nicknamed "pedit COW," affects the kernel's traffic-control packet-editing subsystem.

Technical Breakdown

The bug lives in tcf_pedit_act(), the kernel function responsible for editing packet headers. When modifying packets, the function should create a private copy of shared memory before writing. But some edit keys resolve their offsets at runtime, bypassing the earlier range checks.

The write lands outside the privately copied region, so the kernel modifies a shared page-cache page instead of a private copy. Attackers exploit this to poison cached setuid binaries—injecting a small payload into /bin/su in memory, then executing that altered image as root.

The disk copy stays pristine. File integrity tools report no changes while the root shell is already open.

Timeline That Should Worry You

• Late May: Fix proposed on the netdev mailing list
• June 16: CVE assigned
• June 17: Public weaponized exploit released

The exploitable details were visible on a public mailing list before most teams had a CVE, a scanner rule, a vendor advisory, or a patch process attached to it. This is exactly the window threat actors love.

What's Required

Two conditions enable exploitation:

1. The act_pedit module must be loadable
2. Unprivileged user namespaces must be enabled (granting CAP_NET_ADMIN capability)

Both conditions are met by default on RHEL 8/9/10, Debian 11-13, and Ubuntu 18.04 through 26.04.

Affected Systems

According to vendor advisories as of June 25:

• RHEL: 8, 9, and 10 vulnerable
• Debian: Trixie (13) and versions 11-12 vulnerable
• Ubuntu: 18.04 through 26.04 listed as vulnerable

This mirrors the scope of DirtyClone, another page-cache corruption flaw disclosed this week. The two vulnerabilities share the same underlying technique but attack through different kernel subsystems.

Immediate Actions

Primary solution: Install patched kernels and reboot. Prioritize multi-tenant systems, Kubernetes nodes, and any server accepting SSH from semi-trusted users.

Temporary mitigations if you can't patch immediately:

1. Block act_pedit module loading:

echo "install act_pedit /bin/true" > /etc/modprobe.d/disable-act_pedit.conf

2. Disable unprivileged user namespaces:

sysctl kernel.unprivileged_userns_clone=0   # Debian/Ubuntu
sysctl user.max_user_namespaces=0           # RHEL

Note: Disabling user namespaces breaks rootless containers. Know your dependencies.

Why This Matters

The speed from disclosure to weaponization here is alarming. A day between CVE assignment and public exploit leaves no time for organizational patch cycles.

Both pedit COW and DirtyClone target the same primitive—corrupting page-cache memory to modify privileged binaries without touching disk. This suggests researchers (and attackers) are actively hunting for more variants.

Organizations running shared Linux infrastructure should assume these flaws are being exploited in the wild and treat patching as a hair-on-fire priority. For background on how these privilege escalation chains fit into broader attack patterns, see our guide on what makes malware dangerous.