New Linux pedit COW Exploit Allows Attackers to Gain System Root Access

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

A newly disclosed Linux kernel vulnerability combining a Copy-on-Write (COW) page-cache corruption flaw with the net/sched subsystem’s act_pedit component is enabling unprivileged local attackers to escalate privileges to full root access on several major Linux distributions.

The exploit, dubbed packet_edit_meme, has been verified in June 2026 against actively maintained enterprise and consumer kernels.

The root cause is a partial-COW page-cache corruption bug introduced in kernel commit 899ee91156e5, present across Linux kernel versions v5.18 through v7.1-rc6 and patched in v7.1-rc7. The flaw resides in the net/sched act_pedit subsystem, a traffic editing component of the Linux traffic control (tc) framework.

The attack chain works by spawning a user namespace child process with CAP_NET_ADMIN capabilities — a permission reachable by unprivileged users on systems where unprivileged user namespaces are enabled by default.

The exploit then leverages the COW corruption primitive to overwrite the page-cached ELF entry point of the setuid-root binary /bin/su, injecting shellcode that executes setgid(0) + setuid(0) + execve("/bin/sh") — delivering a root shell to the attacker.

This is the fourth recent privilege escalation vulnerability disclosed in Linux systems.

Vulnerability CVE Disclosed Subsystem Write Primitive Root Required?
Copy Fail CVE-2026-31431 April 30, 2026 algif_aead (AF_ALG crypto) 4-byte page-cache write No
DirtyFrag CVE-2026-43284 / CVE-2026-43500 May 8, 2026 IPsec ESP (xfrm) + RxRPC Full write primitive (chained) No
Fragnesia CVE-2026-46300 May 14, 2026 XFRM ESP-in-TCP Arbitrary byte write No
pedit COW CVE-2026-46331 June 26, 2026 net/sched act_pedit Out-of-bounds page-cache write No

Affected Distributions

Verified testing confirms exploitation success on multiple widely deployed distributions:

Distribution Kernel Flag Result
RHEL 10.0 6.12.0-228.el10 None ROOT
Debian 13 (Trixie) 6.12.90+deb13.1 None ROOT
Ubuntu 24.04.4 6.17.0-22 --ubuntu ROOT
Ubuntu 26.04 7.0.0-14-generic --ubuntu FAIL

RHEL and Debian are immediately vulnerable with no flags required, as both ship with unprivileged user namespaces open by default. Notably, RHEL lacks cls_basic and em_meta modules, but the exploit automatically falls back to matchall to deliver the same corruption primitive.

Ubuntu enforces two sysctls that restrict unprivileged user namespace creation:

  • kernel.apparmor_restrict_unprivileged_userns — blocks unconfined userns creation
  • kernel.apparmor_restrict_unprivileged_unconfined — prevents aa-exec permissive profiles from shedding the restriction

The --ubuntu flag re-executes the exploit via aa-exec using permissive profiles such as trinity, chrome, or flatpak — which carry a userns rule — effectively bypassing the AppArmor gate.

This bypass works on Ubuntu 24.04.4 (unconfined=0) but is closed on Ubuntu 26.04 (unconfined=1), which tightens the restriction to block this re-execution path entirely.

Mitigations

Red Hat has published an official security bulletin at RHSB-2026-008. Administrators are strongly urged to apply kernel patches immediately, restrict unprivileged user namespace creation via sysctl where operationally feasible, and monitor for unexpected aa-exec invocations or namespace creation events.

Organizations running kernels between v5.18 and v7.1-rc6 should treat this as a critical priority patch.

What Features Should AI SOC Have? – Download Free 2026 AI SOC Features Checklist

The post New Linux pedit COW Exploit Allows Attackers to Gain System Root Access appeared first on Cyber Security News.