New Linux pedit COW Exploit Allows Attackers to Gain System Root Access
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A newly disclosed Linux kernel vulnerability combining a Copy-on-Write (COW) page-cache corruption flaw with the The exploit, dubbed packet_edit_meme<\/a>, has been verified in June 2026 against actively maintained enterprise and consumer kernels.<\/p>\n The root cause is a partial-COW page-cache corruption bug introduced in kernel commit The attack chain works by spawning a user namespace child process with The exploit then leverages the COW corruption primitive to overwrite the page-cached ELF entry point<\/strong> of the setuid-root binary This is the fourth recent privilege escalation vulnerability disclosed in Linux systems.<\/p>\n Verified testing confirms exploitation success on multiple widely deployed distributions:<\/p>\n RHEL and Debian are immediately vulnerable with no flags required, as both ship with unprivileged user namespaces open by default. Notably, RHEL lacks Ubuntu enforces two sysctls that restrict unprivileged user namespace creation:<\/p>\n The This bypass works on Ubuntu 24.04.4 ( Red Hat has published an official security bulletin at RHSB-2026-008<\/a>. Administrators are strongly urged to apply kernel patches immediately, restrict unprivileged user namespace creation via sysctl where operationally feasible, and monitor for unexpected Organizations running kernels between v5.18 and v7.1-rc6 should treat this as a critical priority patch.<\/p>\n Upgrade your proactive defense against attacks. Access\u00a05 proven threat hunting tactics<\/a>\u00a0you can deploy in your SOC<\/strong><\/strong><\/strong>.<\/strong><\/p>\n The post New Linux pedit COW Exploit Allows Attackers to Gain System Root Access<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nnet\/sched<\/code> subsystem\u2019s act_pedit<\/code> component is enabling unprivileged local attackers to escalate privileges to full root access on several major Linux distributions.<\/p>\n899ee91156e5<\/code>, present across Linux kernel versions v5.18 through v7.1-rc6 and patched in v7.1-rc7. The flaw resides in the net\/sched act_pedit<\/code> subsystem, a traffic editing component of the Linux traffic control (tc) framework.<\/p>\nCAP_NET_ADMIN<\/code> capabilities \u2014 a permission reachable by unprivileged users on systems where unprivileged user namespaces are enabled by default.<\/p>\n\/bin\/su<\/code>, injecting shellcode that executes setgid(0)<\/code> + setuid(0)<\/code> + execve(\"\/bin\/sh\")<\/code> \u2014 delivering a root shell to the attacker.<\/p>\n\n\n
\n \nVulnerability<\/th>\n CVE<\/th>\n Disclosed<\/th>\n Subsystem<\/th>\n Write Primitive<\/th>\n Root Required?<\/th>\n<\/tr>\n<\/thead>\n \n Copy Fail<\/a><\/strong><\/td>\n CVE-2026-31431<\/td>\n April 30, 2026<\/td>\n \n algif_aead<\/code> (AF_ALG crypto)<\/td>\n4-byte page-cache write<\/td>\n No<\/td>\n<\/tr>\n \n DirtyFrag<\/a><\/strong><\/td>\n CVE-2026-43284 \/ CVE-2026-43500<\/td>\n May 8, 2026<\/td>\n IPsec ESP (xfrm) + RxRPC<\/td>\n Full write primitive (chained)<\/td>\n No<\/td>\n<\/tr>\n \n Fragnesia<\/a><\/strong><\/td>\n CVE-2026-46300<\/td>\n May 14, 2026<\/td>\n XFRM ESP-in-TCP<\/td>\n Arbitrary byte write<\/td>\n No<\/td>\n<\/tr>\n \n pedit COW<\/strong><\/td>\n CVE-2026-46331<\/td>\n June 26, 2026<\/td>\n net\/sched act_pedit<\/code><\/td>\nOut-of-bounds page-cache write<\/td>\n No<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n Affected Distributions<\/strong><\/h2>\n
\n\n
\n \nDistribution<\/th>\n Kernel<\/th>\n Flag<\/th>\n Result<\/th>\n<\/tr>\n<\/thead>\n \n RHEL 10.0<\/td>\n 6.12.0-228.el10<\/td>\n None<\/td>\n ROOT<\/strong><\/td>\n<\/tr>\n \n Debian 13 (Trixie)<\/td>\n 6.12.90+deb13.1<\/td>\n None<\/td>\n ROOT<\/strong><\/td>\n<\/tr>\n \n Ubuntu 24.04.4<\/td>\n 6.17.0-22<\/td>\n --ubuntu<\/code><\/td>\nROOT<\/strong><\/td>\n<\/tr>\n \n Ubuntu 26.04<\/td>\n 7.0.0-14-generic<\/td>\n --ubuntu<\/code><\/td>\nFAIL<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n cls_basic<\/code> and em_meta<\/code> modules, but the exploit automatically falls back to matchall<\/code> to deliver the same corruption primitive.<\/p>\n\n
kernel.apparmor_restrict_unprivileged_userns<\/code> \u2014 blocks unconfined userns creation<\/li>\nkernel.apparmor_restrict_unprivileged_unconfined<\/code> \u2014 prevents aa-exec<\/code> permissive profiles from shedding the restriction<\/li>\n<\/ul>\n--ubuntu<\/code> flag re-executes the exploit via aa-exec<\/code> using permissive profiles such as trinity<\/code>, chrome<\/code>, or flatpak<\/code> \u2014 which carry a userns<\/code> rule \u2014 effectively bypassing the AppArmor gate.<\/p>\nunconfined=0<\/code>) but is closed on Ubuntu 26.04 (unconfined=1<\/code>), which tightens the restriction to block this re-execution path entirely.<\/p>\nMitigations<\/strong><\/h2>\n
aa-exec<\/code> invocations or namespace creation events.<\/p>\n