Linux “pedit COW” Vulnerability Turns Local Users Into Root Without Touching Disk
Security researchers have uncovered a Linux flaw that elevates an ordinary local user to root. Remarkably, it does so without altering a single file on disk. Integrity checks may therefore reveal nothing, because the malicious change lives in a memory copy rather than in the file itself.
The vulnerability carries the identifier CVE-2026-46331 and the informal name pedit COW. It hides inside the traffic control subsystem, which governs network traffic within the Linux kernel. More precisely, the bug affects the act_pedit action, a feature that rewrites packet headers on the fly. Red Hat rated the issue as Important, and a working public exploit surfaced just one day after the CVE landed on 16 June.
What Makes pedit COW So Dangerous
The most alarming element lies in the attack method. The exploit never rewrites a file on disk, so it leaves no familiar trace in the binary. Instead, the attacker poisons the cached in-memory copy of a setuid-root program, such as /bin/su. Next, they inject a small fragment of code and launch the altered image with root privileges.
The on-disk file stays untouched. Consequently, a standard integrity scan may report a clean system, even as the attacker already holds a root shell.
Two Conditions Required
An attacker needs two ingredients. First, the system must load the act_pedit module. Second, unprivileged user namespaces must be available to ordinary users. Inside such a namespace, the attacker gains the local CAP_NET_ADMIN capability, which is enough to reach the vulnerable kernel path. On the tested RHEL and Debian systems, both conditions held true.
The Root Cause: A Copy-on-Write Flaw
The problem stems from a flawed copy-on-write implementation. The tc tool can edit packet headers through the pedit action. Before editing, the kernel function tcf_pedit_act() should first create a private copy of the data. Unfortunately, the bounds check runs too early, before the final offsets are calculated.
Here lies the catch. Some pedit rules receive their exact offset only at runtime. As a result, the write spills beyond the private copy, and the kernel modifies a shared page cache page instead of an isolated buffer. When that page belongs to a cached file, the file’s in-memory image becomes corrupted.
A Familiar Family of Bugs
In shape, the flaw resembles Dirty Pipe, Copy Fail, DirtyClone, and Dirty Frag. In every case, a fast kernel path writes to a memory page that the kernel does not exclusively own, and the page cache absorbs the blow.
However, pedit COW stands apart through its entry point. An ordinary user can configure tc actions inside a user namespace and obtain the needed CAP_NET_ADMIN, all without genuine administrative rights on the host. Indeed, a working proof-of-concept demonstrates the full chain.
Which Distributions Are Affected
The proof-of-concept author reported successful root escalation on RHEL 10 and Debian 13 trixie. On both, unprivileged user namespaces are open by default. On Ubuntu 24.04, the attack required AppArmor profiles that still permit user namespaces. Ubuntu 26.04 blocks this path by default, since its AppArmor profiles restrict unprivileged user namespaces — yet the kernel itself remains vulnerable.
Fixes vary by distribution. Debian has already patched trixie through its security channel, though Debian 11 and 12 still count as vulnerable in the original advisory. As of 25 June, Ubuntu listed every supported release from 18.04 to 26.04 as affected. Red Hat named RHEL 8, 9, and 10 among the targets, while RHEL 7 did not appear in the bulletin.
How to Defend Your Systems
The primary defense is refreshingly simple. Install the patched kernel and reboot the machine. Above all, prioritize servers where a local user does not equal a trusted user. That category includes multi-user hosts, CI/CD runners, Kubernetes nodes, build machines, research benches, and teaching labs.
Temporary Mitigations
Sometimes a fast kernel update simply is not possible. In that situation, you can break the exploitation chain in two ways.
On systems that do not need tc pedit rules, check whether the module is loaded with lsmod | grep act_pedit. Then block future loading by adding install act_pedit /bin/true to /etc/modprobe.d/disable-act_pedit.conf.
Alternatively, disable unprivileged user namespaces. RHEL uses user.max_user_namespaces=0, while Debian and Ubuntu use kernel.unprivileged_userns_clone=0. This step removes the local capability the exploit relies on. Nevertheless, it may break rootless containers, CI sandboxes, and browser isolation, so test the change on a staging machine first.
Detection and Cleanup
Because the attack targets the memory cache, ordinary file checks may miss the compromise. Flushing the page cache with echo 3 > /proc/sys/vm/drop_caches clears the corrupted in-memory copy. However, it does not close a root shell that is already open. Therefore, if the exploit could have run on a host, treat that machine as compromised.
A Lesson in Disclosure Timing
One detail deserves special attention. The patch reached the netdev mailing list back in late May, framed merely as an ordinary data-corruption fix. For several weeks, the exploitable meaning of the bug sat in plain sight, without a CVE or a dedicated security warning.
The CVE arrived only after the fix merged on 16 June, and a finished proof-of-concept followed within a day. For page cache bugs, that pace teaches a blunt lesson. Waiting for a scanner rule is simply too late.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
