A newly disclosed flaw in the Linux kernel’s traffic-control subsystem lets an unprivileged local user escalate to root on affected systems. A public, working exploit appeared within a day of the CVE assignment on June 16. If you run multi-tenant servers, CI runners, or shared research machines, this one needs your attention.
The vulnerability is tracked as CVE-2026-46331 and nicknamed “pedit COW.” It’s an out-of-bounds write in the packet-editing action (act_pedit) that corrupts shared page-cache memory. The exploit works by poisoning the cached copy of a setuid root binary like /bin/su, injecting a small payload, and executing it as root. The file on disk never changes. File-integrity checks won’t catch it.
The attack requires two conditions: act_pedit being loadable, and unprivileged user namespaces being enabled. Both were present on tested RHEL and Debian targets. Ubuntu 24.04 needed routing through AppArmor profiles that still permit user namespaces, while Ubuntu 26.04 blocks the path by default.
On the mitigation side, you can block the act_pedit module from loading with a modprobe config line. Alternatively, disabling unprivileged user namespaces (user.max_user_namespaces=0 on RHEL, kernel.unprivileged_userns_clone=0 on Debian/Ubuntu) removes the capability the exploit needs. But that breaks rootless containers and some CI setups, so test before you deploy.
Prioritize patching systems where local users aren’t all trusted. Shared hosting, Kubernetes nodes, and build workers are the obvious targets. If you can’t patch yet, the module block buys you time. But a reboot to the patched kernel is the only real fix.
