Top Highlights
- The Linux kernel vulnerability CVE-2026-46331 allows unprivileged users with open user namespaces to execute remote root exploits by corrupting shared page-cache memory during packet header modifications.
- Attackers can poison in-memory copies of setuid binaries like
/bin/suwithout touching disk, enabling persistent root access and system compromise. - Mitigation requires patching affected systems, blocking the
act_peditmodule, or disabling unprivileged user namespaces, as unpatched systems are vulnerable to immediate privilege escalation.
Threat, Attack Techniques, and Targets
This cybersecurity threat involves a new Linux kernel flaw called “pedit COW” (CVE-2026-46331). The flaw exists in the traffic-control subsystem of the Linux kernel. It allows a local, unprivileged user to gain root access on the system. The attack uses a specific technique that manipulates shared page-cache memory. The attacker poisons in-memory copies of binaries, like the /bin/su file, without touching the disk. They inject a small payload into the cached binary. Then, they run the altered image as root. The attack only needs two conditions: that the act_pedit feature can be loaded and that unprivileged user namespaces are open. Both conditions are typically present on systems like Red Hat and Debian. The attacker exploits the kernel’s packet header rewriting feature to corrupt shared memory when certain parameters are set up within user namespaces.
Impact, Security Implications, and Remediation Guidance
The impact of this vulnerability is serious. Attackers can achieve root access without leaving any traces on the disk. They can poison the in-memory cache, leading to potential privilege escalation. Systems at risk include RHEL 8, 9, 10, Debian 13 (Trixie), and possibly Ubuntu 24.04 and 26.04, depending on their configuration. Security implications include complete system compromise and potential attack chain progression. To mitigate the threat, it is critical to install the latest kernel updates and reboot the system. If patching is not immediately possible, some temporary measures include blocking the act_pedit module from loading and disabling unprivileged user namespaces. Additionally, dropping the page cache can help remove poisoned memory. However, these actions do not undo root access already gained. Because the flaw involves cached memory, traditional file integrity checks may not detect the abuse. It is advised to consult the vendor or authority for the latest security patches and detailed remediation steps, especially for affected enterprise environments.
Expand Your Tech Knowledge
Dive deeper into the world of Cryptocurrency and its impact on global finance.
Explore past and present digital transformations on the Internet Archive.
ThreatIntel-V1
