Mastodon Mastodon Mastodon Mastodon

Local Privilege Escalation via Linux act_pedit Page Cache Bug

Photo of author

CyberSecureFox Editorial Team

Published:

The CVE-2026-46331 vulnerability in the Linux kernel traffic control subsystem allows a local unprivileged user to gain root privileges on affected systems. An out-of-bounds write in the act_pedit component leads to page cache corruption, and a public working exploit was released publicly within 24 hours after the CVE was assigned on 16 June 2026. Red Hat rates the vulnerability as Important. RHEL 8, 9, 10, Ubuntu from 18.04 through 26.04, and Debian 11–13 are affected. Administrators of multi-user systems, Kubernetes nodes, and CI/CD servers should install an updated kernel immediately or apply workarounds.

Vulnerability mechanism

The tc utility in Linux allows on-the-fly modification of packet headers via the pedit action. According to researchers, the kernel function tcf_pedit_act() is supposed to create a private copy of the data before editing it — the standard copy-on-write pattern. However, the bounds check on the write is performed before the final offsets are known: some edit keys resolve their offsets only at runtime. When the final offset ends up outside the privately copied region, the write lands in a shared page of the page cache instead of the private copy.

If this page belongs to a cached file, its in-memory image becomes corrupted. The exploit reportedly uses this to poison the cached copy of a binary with the setuid root bit (for example, /bin/su): it injects a small payload and then runs the modified image with root privileges. The on-disk file remains untouched, and filesystem integrity checks do not detect any changes.

This class of bugs is well known: Dirty Pipe, DirtyClone, Dirty Frag — all of them exploit situations where the kernel writes data into a page it does not exclusively own. What distinguishes CVE-2026-46331 is the entry point: an unprivileged user can configure tc actions from within a user namespace, gaining local CAP_NET_ADMIN privileges.

Prerequisites for exploitation

The exploitation chain requires two conditions to be met simultaneously:

  • The act_pedit module must be available for loading into the kernel.
  • Unprivileged user namespaces must be enabled so that the attacker can obtain CAP_NET_ADMIN inside the namespace.

According to the exploit author, both conditions were met by default on RHEL 10 and Debian 13 (trixie). On Ubuntu 24.04, exploitation apparently required routing through AppArmor profiles that allow user namespaces. Ubuntu 26.04 blocks this path by default via AppArmor restrictions, although the kernel itself remains vulnerable.

Affected systems and patch status

Impact assessment

Systems where “local user” does not mean “trusted” are at the highest risk: multi-user servers, Kubernetes nodes, CI/CD pipeline worker nodes, build servers, and shared research machines. The attack leaves no traces on disk — standard file integrity tools (AIDE, Tripwire, rpm -V) will not record the compromise even while a root shell is already open.

An additional risk factor is the disclosure timeline. The fix was published on the netdev mailing list in late May 2026 and was reportedly presented as a routine data corruption patch — without a CVE and without a security warning. The CVE was only assigned when the fix was merged on 16 June, and a working exploit appeared within 24 hours. For page cache corruption vulnerabilities, waiting for signature-based scanner rules is an unacceptably slow strategy.

Response recommendations

Top priority action: install the updated kernel and reboot. If an immediate update is not possible, either of the two workarounds breaks the exploitation chain:

Blocking the act_pedit module

On systems that do not use pedit rules in tc, check whether the module is loaded (lsmod | grep act_pedit) and block it:

echo 'install act_pedit /bin/true' | sudo tee /etc/modprobe.d/disable-act_pedit.conf

Disabling unprivileged user namespaces

On RHEL: user.max_user_namespaces=0. On Debian/Ubuntu: kernel.unprivileged_userns_clone=0. This measure removes the ability to obtain CAP_NET_ADMIN required by the exploit, but it breaks rootless containers, some CI sandboxes, and browser sandboxes. Be sure to test before applying in production.

If compromise is suspected

Flushing the page cache (echo 3 > /proc/sys/vm/drop_caches) removes the poisoned copy from memory but does not undo the consequences of root access that has already been obtained. If there is any reason to suspect exploitation, treat the host as compromised and follow your incident response procedure.

CVE-2026-46331 is yet another page cache corruption vulnerability where traditional file integrity tools are useless. Deploy a fixed kernel to all affected systems, starting with multi-user nodes and CI/CD infrastructure. If the update is being postponed, block the act_pedit module today: it is a single command, requires no reboot, and does not affect the operation of the overwhelming majority of systems.


CyberSecureFox Editorial Team

The CyberSecureFox Editorial Team covers cybersecurity news, vulnerabilities, malware campaigns, ransomware activity, AI security, cloud security, and vendor security advisories. Articles are prepared using official advisories, CVE/NVD data, CISA alerts, vendor publications, and public research reports. Content is reviewed before publication and updated when new information becomes available.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.