← All stories
● Covered by 1 source Β· 1 reportHigh impact

Linux pedit COW Exploit Allows Root Access via Cached Binary Poisoning

Aggregated by BrevFeed security Β· updated 4d ago
πŸ”– Save

A critical flaw in the Linux kernel's traffic-control subsystem allows unprivileged users to gain root access on vulnerable systems. The exploit targets the memory cache of setuid binaries, enabling attackers to inject and execute malicious code while bypassing file integrity checks.

Key points

Overview of the pedit COW Vulnerability

CVE-2026-46331, known as 'pedit COW', is a vulnerability in the Linux kernel's traffic-control subsystem that enables local unprivileged users to achieve root access. The flaw is an out-of-bounds write in the packet-editing action (act_pedit), which corrupts shared page-cache memory.

This exploit was made public within a day after its CVE assignment on June 16, 2026, prompting immediate attention from various Linux distributions.

Mechanism of Exploit

The exploit leverages the act_pedit function, which is designed to modify packet headers in real-time. Due to a flaw in the kernel's handling of memory copying during this process, the function can inadvertently alter a shared memory page instead of a private copy, corrupting the in-memory image of binaries such as /bin/su.

The exploit's prerequisites include having act_pedit being loadable and unprivileged user namespaces being enabled, which allows attackers to utilize necessary networking capabilities.

Affected Systems and Impact

Red Hat has classified the flaw as important, highlighting its potential to compromise systems. The proof of concept has been successfully tested on Red Hat Enterprise Linux (RHEL) 10 and Debian 13, where unprivileged user namespaces are enabled by default, thus exposing these systems to exploitation.

Notably, Ubuntu 24.04 and earlier versions can be compromised through specific conditions involving AppArmor profiles. Ubuntu 26.04 has implemented stricter controls that block this method, although the underlying kernel remains vulnerable.

Mitigation and Vendor Responses

Debian has issued patches via its security channel for Debian 13, while earlier versions remain at risk. Ubuntu has acknowledged the issue but notes that fixes will vary across different supported releases. This situation underscores ongoing vulnerabilities in widely used Linux distributions, necessitating immediate updates.

✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β€” check the original sources. How BrevFeed works β†’

Reporting from

A critical flaw in the Linux kernel's traffic-control subsystem allows unprivileged users to gain root access on vulnerable systems. The exploit targets the memory cache of setuid binaries, enabling attackers to inject and execute malicious code while bypassing file integrity checks.