New Linux pedit COW Exploit Allows Attackers to Gain System Root Access
A newly disclosed Linux kernel vulnerability combining a Copy-on-Write (COW) page-cache corruption flaw with the net/sched subsystem’s act_pedit component is enabling unprivileged local attackers to escalate privileges to full root access on several major Linux distributions.
The exploit, dubbed packet_edit_meme, has been verified in June 2026 against actively maintained enterprise and consumer kernels.
The root cause is a partial-COW page-cache corruption bug introduced in kernel commit 899ee91156e5, present across Linux kernel versions v5.18 through v7.1-rc6 and patched in v7.1-rc7. The flaw resides in the net/sched act_pedit subsystem, a traffic editing component of the Linux traffic control (tc) framework.
The attack chain works by spawning a user namespace child process with CAP_NET_ADMIN capabilities — a permission reachable by unprivileged users on systems where unprivileged user namespaces are enabled by default.
The exploit then leverages the COW corruption primitive to overwrite the page-cached ELF entry point of the setuid-root binary /bin/su, injecting shellcode that executes setgid(0) + setuid(0) + execve("/bin/sh") — delivering a root shell to the attacker.
This is the fourth recent privilege escalation vulnerability disclosed in Linux systems.
| Vulnerability | CVE | Disclosed | Subsystem | Write Primitive | Root Required? |
|---|---|---|---|---|---|
| Copy Fail | CVE-2026-31431 | April 30, 2026 |
algif_aead (AF_ALG crypto) |
4-byte page-cache write | No |
| DirtyFrag | CVE-2026-43284 / CVE-2026-43500 | May 8, 2026 | IPsec ESP (xfrm) + RxRPC | Full write primitive (chained) | No |
| Fragnesia | CVE-2026-46300 | May 14, 2026 | XFRM ESP-in-TCP | Arbitrary byte write | No |
| pedit COW | CVE-2026-46331 | June 26, 2026 | net/sched act_pedit |
Out-of-bounds page-cache write | No |
Affected Distributions
Verified testing confirms exploitation success on multiple widely deployed distributions:
| Distribution | Kernel | Flag | Result |
|---|---|---|---|
| RHEL 10.0 | 6.12.0-228.el10 | None | ROOT |
| Debian 13 (Trixie) | 6.12.90+deb13.1 | None | ROOT |
| Ubuntu 24.04.4 | 6.17.0-22 | --ubuntu |
ROOT |
| Ubuntu 26.04 | 7.0.0-14-generic | --ubuntu |
FAIL |
RHEL and Debian are immediately vulnerable with no flags required, as both ship with unprivileged user namespaces open by default. Notably, RHEL lacks cls_basic and em_meta modules, but the exploit automatically falls back to matchall to deliver the same corruption primitive.
Ubuntu enforces two sysctls that restrict unprivileged user namespace creation:
-
kernel.apparmor_restrict_unprivileged_userns— blocks unconfined userns creation -
kernel.apparmor_restrict_unprivileged_unconfined— preventsaa-execpermissive profiles from shedding the restriction
The --ubuntu flag re-executes the exploit via aa-exec using permissive profiles such as trinity, chrome, or flatpak — which carry a userns rule — effectively bypassing the AppArmor gate.
This bypass works on Ubuntu 24.04.4 (unconfined=0) but is closed on Ubuntu 26.04 (unconfined=1), which tightens the restriction to block this re-execution path entirely.
Mitigations
Red Hat has published an official security bulletin at RHSB-2026-008. Administrators are strongly urged to apply kernel patches immediately, restrict unprivileged user namespace creation via sysctl where operationally feasible, and monitor for unexpected aa-exec invocations or namespace creation events.
Organizations running kernels between v5.18 and v7.1-rc6 should treat this as a critical priority patch.
Upgrade your proactive defense against attacks. Access 5 proven threat hunting tactics you can deploy in your SOC.
The post New Linux pedit COW Exploit Allows Attackers to Gain System Root Access appeared first on Cyber Security News.
Guru Baran
Go to cyber-security-news