A newly disclosed Linux kernel vulnerability, dubbed pedit COW, is giving threat actors a fast path to root access by silently poisoning cached system binaries in memory without modifying the files stored on disk.
Tracked as CVE-2026-46331 the flaw affects the Linux kernel’s traffic control (tc) subsystem and has rapidly become one of the most closely watched local privilege escalation vulnerabilities of 2026 following the release of a working proof-of-concept exploit shortly after public disclosure. Security researchers warn that systems allowing unprivileged user namespaces, combined with the vulnerable act_pedit kernel module, are particularly exposed.
Unlike many privilege escalation flaws that rely on overwriting binaries or exploiting race conditions in user space, pedit COW abuses a memory corruption bug inside the Linux kernel to modify the in-memory cached version of privileged executables. As a result, attackers can execute altered versions of setuid-root binaries while the original files remain untouched on disk, allowing conventional file integrity monitoring tools to report no signs of tampering despite the system already being compromised. Security researchers say the technique represents another evolution in a growing class of Linux page-cache corruption vulnerabilities that have emerged over recent years.
Vulnerability resides in Linux traffic control subsystem
The vulnerability exists within the Linux kernel’s networking stack, specifically the traffic control (tc) framework used to manage packet scheduling, shaping, filtering, and modification. One of tc’s features, known as pedit (packet editor), enables administrators to rewrite packet headers while traffic is in transit.
At the center of the issue is the kernel function tcf_pedit_act(), responsible for applying these packet modifications. Under normal circumstances, Linux employs a copy-on-write (COW) mechanism before modifying packet data, ensuring that any changes occur on a private memory copy rather than shared memory pages.
However, according to the upstream kernel fix, the vulnerable implementation calculated the writable memory range before runtime offsets associated with typed packet-editing keys were fully resolved. This miscalculation meant that later writes could extend beyond the privately copied region, allowing modifications to occur on shared page-cache memory instead of isolated copies. Kernel developers addressed the flaw by relocating the copy-on-write operation inside the per-key processing loop, where the actual write offsets are known, while also adding additional bounds and overflow validation.
Exploit corrupts cached binaries instead of files on disk
Researchers behind the public proof-of-concept demonstrated that the vulnerability can be leveraged to poison the page-cache copy of privileged executables such as /bin/su.
Instead of modifying the binary stored on persistent storage, the exploit injects malicious code directly into the kernel’s cached copy held in memory. When the executable is launched, Linux loads the manipulated cached image, granting attackers root privileges while the original binary continues to appear unmodified.
Because the disk image remains intact, traditional integrity verification tools—including checksum validation and file monitoring solutions—may fail to detect the compromise. By the time defenders inspect the filesystem, the attacker may already have obtained a persistent root shell.
Researchers note that flushing the page cache removes the corrupted cached image but does not eliminate any privileged processes or persistence mechanisms already established by an attacker. Consequently, systems believed to have been exploited should be treated as fully compromised and investigated accordingly.
Public exploit appeared within a day of disclosure
The speed at which exploitation became available has intensified concerns among defenders.
Kernel developers initially submitted the underlying fix to the Linux networking (netdev) mailing list as what appeared to be a routine data corruption correction rather than a security issue. The vulnerability later received the identifier CVE-2026-46331 when the patch was merged into the kernel on June 16, 2026. Within roughly twenty-four hours, researchers published a fully functional proof-of-concept capable of demonstrating local privilege escalation on multiple Linux distributions.
The rapid transition from patch publication to weaponized exploit illustrates a recurring challenge for Linux defenders: technically detailed upstream patches often reveal exploitable vulnerabilities before many organizations have applied updates or vulnerability scanners begin flagging affected systems.
Attack prerequisites limit remote exploitation but remain significant
Although the vulnerability cannot be exploited remotely on its own, successful attacks require only local code execution under specific system configurations.
Researchers identified two primary prerequisites:
- The act_pedit kernel module must be available or loadable.
- The system must permit unprivileged user namespaces, enabling attackers to obtain namespace-scoped CAP_NET_ADMIN privileges required to configure vulnerable traffic control actions.
These conditions are relatively common on systems supporting containerized workloads, development environments, rootless container runtimes, and shared Linux infrastructure.
Security researchers successfully reproduced local-to-root privilege escalation against Red Hat Enterprise Linux 10 and Debian 13 (Trixie) under default configurations. Ubuntu systems present a more nuanced picture. While Ubuntu 24.04 could still be exploited by operating within AppArmor configurations that permit user namespaces, Ubuntu 26.04’s default AppArmor restrictions block the published exploitation path despite the underlying kernel vulnerability remaining present until patched.
Vendors release advisories and patches
Major Linux vendors have begun publishing security advisories addressing the vulnerability.
According to Red Hat, the issue has been classified as an Important security vulnerability affecting supported RHEL 8, RHEL 9, and RHEL 10 releases, while RHEL 7 is not listed among affected products. Debian has issued security updates for Debian 13 (Trixie), while older Debian releases remained vulnerable pending additional updates at the time of publication. Ubuntu’s security tracking pages similarly identified multiple supported releases as affected until updated kernel packages become available. The vulnerability has also been incorporated into the National Vulnerability Database following publication by kernel.org.
Latest addition to growing family of Linux page-cache attacks
Security researchers have compared pedit COW to previous Linux kernel vulnerabilities that similarly abused flaws in copy-on-write or page-cache handling.
Earlier high-profile vulnerabilities—including Dirty COW (CVE-2016-5195), Dirty Pipe, and other page-cache corruption issues—shared a common design weakness: privileged kernel operations inadvertently wrote into shared memory pages rather than isolated copies, creating opportunities for local privilege escalation.
While the underlying implementation differs, researchers say pedit COW demonstrates that page-cache corruption continues to represent a recurring attack surface inside the Linux kernel, particularly when performance optimizations interact with complex memory management mechanisms.
Recommended mitigations
Security teams are advised to prioritize deployment of vendor-supplied kernel updates followed by a full system reboot to ensure vulnerable kernel code is replaced.
Where immediate patching is not feasible, researchers recommend temporarily disabling the act_pedit kernel module on systems that do not rely on packet-editing traffic control rules. Administrators may also consider disabling unprivileged user namespaces, although doing so can impact rootless container platforms, continuous integration environments, browser sandboxes, and other modern Linux workloads.
Organizations operating multi-user servers, Kubernetes clusters, CI/CD runners, academic computing environments, cloud infrastructure, and other systems where local users cannot be fully trusted are encouraged to prioritize remediation due to the vulnerability’s ability to provide complete system compromise from a standard user account.
The emergence of pedit COW once again highlights how seemingly routine kernel maintenance patches can conceal high-impact security flaws. As security researchers continue analyzing Linux kernel updates for exploitable conditions, defenders are increasingly encouraged to monitor upstream development activity alongside traditional vulnerability advisories to reduce exposure before public exploits become available.
