Public Exploit for 'pedit COW' Linux Flaw Puts Multi-User Hosts at Risk

'Pedit COW' Linux Kernel Flaw Now Under Active Exploitation

Security teams received an urgent wake-up call this week after details and a working exploit surfaced for a critical Linux kernel vulnerability, tracked as CVE-2026-46331 and dubbed "pedit COW." The flaw allows any local user on an affected system to escalate privileges and gain root access—simply by corrupting in-memory cached binaries, all while leaving files on disk untouched.

The exploit was released publicly within a day of the CVE being assigned on June 16, 2026. Now, with exploitation trivial and active attacks reported, patching has become a top priority for Linux admins, especially on multi-user or untrusted environments.

How the Exploit Works

The issue lurks within the Linux kernel's packet-editing ("pedit") code, part of the tc (traffic control) tool used for rewriting network packet headers. The core problem: a faulty copy-on-write (COW) implementation in the function tcf_pedit_act(). Ordinarily, this function should create a private, writable copy of kernel data before editing it. However, due to a logic error, it sometimes ends up writing outside the intended region when offsets are only calculated at runtime.

When that happens, the kernel modifies a shared page in the page cache—potentially the cached copy of a setuid root binary like /bin/su. The exploit takes advantage by injecting a payload into this memory region, then immediately executing the poisoned binary. The result? An unprivileged user gets a root shell, and standard file-integrity checks will show nothing amiss, since the file on disk remains clean.

This bug shares a pattern with several notorious Linux vulnerabilities—such as Dirty Pipe and Copy Fail—where the kernel mistakenly writes into data it doesn't exclusively own. What makes "pedit COW" especially dangerous is how easy the initial conditions are to meet on many distributions.

Prerequisites for Exploitation

To exploit the flaw, two main ingredients are needed:

• The act_pedit kernel module must be available (usually enabled by default).
• The attacker must have access to unprivileged user namespaces, a feature that grants the network capability needed for the attack within a namespace (namely, CAP_NET_ADMIN).

On popular Linux distributions like recent Red Hat Enterprise Linux and Debian releases, both requirements are satisfied out of the box. Ubuntu 24.04 can also be targeted if AppArmor profiles permit user namespaces, though Ubuntu 26.04 has locked this down by default.

Who Is at Risk?

Any system where "local user" does not mean "trusted user" is in the crosshairs. That includes public-facing multi-tenant servers, CI/CD runners, Kubernetes worker nodes, research lab computers, and shared build hosts. Single-user or fully trusted environments may be less exposed, but the risk is significant wherever untrusted code can be executed locally.

Debian's latest release (trixie) has issued a patch, but older versions like Debian 11 and 12 remain vulnerable at this time. Ubuntu's advisory lists supported releases from 18.04 through 26.04 as vulnerable, pending a fix. Red Hat Enterprise Linux 8, 9, and 10 are affected; RHEL 7 does not appear impacted, according to Red Hat's bulletin.

Defensive Moves: What Should Admins Do?

Immediate action is needed. The primary recommendation is to update to a patched Linux kernel as soon as it is available for your distribution, then reboot. Prioritize patching on shared or exposed systems where untrusted users may have shell access or the ability to run code.

For environments where patching is delayed, there are two main mitigations:

1. Disable the vulnerable module: If act_pedit is not needed, prevent it from loading by adding a modprobe rule (echo 'install act_pedit /bin/true' | sudo tee /etc/modprobe.d/disable-act_pedit.conf).
2. Block unprivileged user namespaces: Setting user.max_user_namespaces=0 (on RHEL) or kernel.unprivileged_userns_clone=0 (on Debian/Ubuntu) will thwart the exploit, but be warned: this can break rootless containers, sandboxed browsers, and some CI environments. Always test mitigations first in non-production settings.

Clearing the page cache may remove the poisoned memory, but it cannot eject an attacker who already has a root shell. Once exploited, the host should be considered compromised.

A Cautionary Tale for Linux Defenders

"Pedit COW" highlights the recurring danger of copy-on-write bugs in the Linux kernel's handling of shared memory. In this case, the flaw was quietly fixed as a data-corruption patch weeks before the full security impact was understood and a CVE assigned. The window between fix and public exploit was vanishingly small.

The message to defenders is clear: move quickly to patch such bugs, especially on systems with untrusted users. Waiting for official detection or scanning rules may leave systems wide open. As always, defense-in-depth and aggressive patch hygiene remain the best countermeasures against local privilege escalation threats like this.

This article is original CyberSecFlux reporting based on news first reported by The Hacker News.