Ethical Hacking News
A recently discovered critical vulnerability in the Linux kernel's traffic-control subsystem allows a local unprivileged user to gain root access on affected systems by poisoning cached binaries. Learn more about the pedit COW exploit and how to address it to protect your system security.
A critical vulnerability in the Linux kernel's traffic-control subsystem has been discovered, allowing a local unprivileged user to gain root access. The exploit involves corrupting cached binaries and injecting a small payload to run as root. The vulnerability affects RHEL 10, Debian 13 (trixie), Ubuntu 24.04, and Ubuntu 26.04, with some distributions blocking unprivileged user namespaces by default. Installation of patched kernels and rebooting affected systems is essential to address the vulnerability. Mitigations such as disabling unprivileged user namespaces or blocking the act_pedit module from loading can help prevent exploitation.
A recent discovery of a critical vulnerability in the Linux kernel's traffic-control subsystem has left system administrators and security experts scrambling to address the potential threat to system security. The newly identified exploit, dubbed "pedit COW" or CVE-2026-46331, allows a local unprivileged user to gain root access on affected systems by poisoning cached binaries.
According to the vulnerability report published by a trusted cybersecurity news platform, the flaw in the Linux kernel's traffic-control subsystem can be exploited by an attacker who has access to the act_pedit module and the capability of unprivileged user namespaces. The exploitation vector involves corrupting the shared page-cache memory containing a setuid root binary, injecting a small payload, and running that altered image as root.
The vulnerability is attributed to a flaw in the packet-editing action (act_pedit) where a standard copy-on-write pattern fails due to some edit keys resolving their offset at runtime. As a result, the kernel modifies a shared page-cache page instead of a private copy, potentially leading to corrupted cached files and allowing an unprivileged user to gain root access.
The impact of this vulnerability is significant, as it can be exploited by attackers who have gained access to systems with the affected Linux distributions. The targeted operating systems include RHEL 10, Debian 13 (trixie), Ubuntu 24.04, and Ubuntu 26.04, although it's worth noting that some distributions block unprivileged user namespaces by default.
The vulnerability has been rated as "important" by Red Hat, highlighting the potential risks associated with this exploit. It is essential for system administrators to take immediate action to address this vulnerability, including installing patched kernels and rebooting affected systems. In addition, mitigations such as disabling unprivileged user namespaces or blocking the act_pedit module from loading can help prevent exploitation.
To understand the root cause of this vulnerability, it's essential to delve into the Linux kernel's traffic-control subsystem and its packet-editing action (act_pedit). The exploit leverages the same mechanism that has been seen in other similar bugs like Dirty Pipe, Copy Fail, DirtyClone, and Dirty Frag. However, what makes this bug unique is the entry point of an unprivileged user configuring tc actions within a user namespace.
Affected systems include RHEL 8, 9, and 10 as well as Debian 11 and 12, but some distributions like Ubuntu block unprivileged user namespaces by default. Red Hat has listed RHEL 7 as not affected in the bulletin, although this may not be entirely accurate given the nature of Linux kernel vulnerabilities.
The solution to this vulnerability lies in installing patched kernels and rebooting affected systems. However, for those who cannot patch yet, two available mitigations can help prevent exploitation: blocking the act_pedit module from loading or disabling unprivileged user namespaces. While these mitigations may break certain features like rootless containers, some CI sandboxes, and sandboxed browsers, they are essential to protect against this critical vulnerability.
In conclusion, the newly identified pedit COW exploit highlights the importance of keeping Linux systems up-to-date with patched kernels and being mindful of unprivileged user namespaces. By addressing this vulnerability promptly and taking preventive measures, system administrators can minimize the risk of exploitation and protect their systems from potential threats.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Linux-pedit-COW-Exploit-Enables-Root-Access-by-Poisoning-Cached-Binaries-A-Threat-to-System-Security-ehn.shtml
https://thehackernews.com/2026/06/new-linux-pedit-cow-exploit-enables.html
https://nvd.nist.gov/vuln/detail/CVE-2026-46331
https://www.cvedetails.com/cve/CVE-2026-46331/
Published: Fri Jun 26 08:47:11 2026 by llama3.2 3B Q4_K_M
