threat-wire

Public Exploit Turns a Linux Kernel Flaw Into Instant Root

A new Linux kernel flaw, CVE-2026-46331 or 'pedit COW', lets any logged-in user become root, and a working exploit went public within a day of the patch. It corrupts a cached copy of a system binary in memory, so file-integrity tools see nothing wrong. Shared servers, CI runners, and Kubernetes nodes are the systems most at risk.

By SecureBusinessHub Editorial, International cybersecurity desk — 2026-06-28 · 5 min read

A patch that looked routine has turned into one of the more dangerous Linux bugs of the year. CVE-2026-46331, nicknamed pedit COW, lets a local unprivileged user climb all the way to root. A working exploit appeared on GitHub within a day of the CVE being assigned on 16 June, and Red Hat rates the flaw as important. If untrusted people can log in to a Linux box you run, this one matters.

How it works without touching disk

The bug sits in the kernel's traffic-control subsystem, in the packet-editing action called act_pedit. That code is meant to copy data before editing it, the standard copy-on-write pattern, but it checks the writable range too early. Some edit operations only work out their target offset at the last moment, so the edit becomes an out-of-bounds write that lands outside the private copy and hits a shared page-cache page instead. If that page holds a cached file, the file's in-memory image is now corrupted.

The exploit uses this to poison the cached copy of /bin/su, the setuid root program. It injects a small payload into the in-memory image and runs it as root. The file on disk is never modified, so file-integrity monitoring comes back clean while a root shell is already open. That is what makes it nasty: the usual tripwire never fires.

Am I running an exposed system?

Two conditions have to be true. The act_pedit module must be loadable, and unprivileged user namespaces must be open, which is what hands an ordinary user the namespace-local CAP_NET_ADMIN the bug needs. The exploit author confirmed unprivileged-to-root on RHEL 10 and Debian 13 (trixie), where user namespaces are open by default. Ubuntu 24.04 needed a specific AppArmor path, and Ubuntu 26.04 blocks the default route, though its kernel is still vulnerable underneath.

• Check whether the vulnerable module is loaded: lsmod | grep act_pedit.
• Check whether unprivileged user namespaces are open: sysctl kernel.unprivileged_userns_clone on Debian and Ubuntu, or user.max_user_namespaces on RHEL. A non-zero value means the exploit precondition is met.
• Match your running kernels against your vendor advisory: Red Hat RHSB-2026-008, plus the Debian and Ubuntu trackers for CVE-2026-46331.
• Prioritise multi-tenant hosts, CI/CD runners, Kubernetes nodes, build workers, and shared lab machines, where untrusted accounts already exist.

Patch, or break the chain

The real fix is the patched kernel and a reboot. If you cannot patch immediately, you can break the exploit two ways. On systems that do not use tc pedit rules, stop the module loading by adding 'install act_pedit /bin/true' to a file in /etc/modprobe.d. Or close unprivileged user namespaces by setting the relevant sysctl to zero, which removes the capability the exploit relies on. That second option breaks rootless containers, some CI sandboxes, and sandboxed browsers, so test before you push it out.

One thing is worth saying plainly. This is the same shape as Dirty Pipe and the recent DirtyClone flaw: a kernel fast path writes into a page it does not own, and the page cache takes the hit. The exploitable detail sat on a public mailing list for weeks before a CVE existed, and the weaponised proof of concept followed the patch within a day. Waiting for a scanner signature is too slow for this class of bug. If a host was exposed, assume it was reached and rebuild it.

• NVD entry for CVE-2026-46331
• Red Hat security advisory RHSB-2026-008
• The Hacker News: pedit COW exploit enables root access
• JFrog: analysis of the sibling DirtyClone flaw