Linux pedit COW Exploit Grants Local Root Within 1 Day of CVE-2026-46331
Updated
Updated · The Hacker News · Jun 26
Linux pedit COW Exploit Grants Local Root Within 1 Day of CVE-2026-46331
3 articles · Updated · The Hacker News · Jun 26
Summary
A working public exploit surfaced within a day of the June 16 CVE assignment, letting an unprivileged local user gain root on affected Linux systems.
CVE-2026-46331 is an out-of-bounds write in the kernel's act_pedit traffic-control code that corrupts shared page-cache memory, poisoning the cached /bin/su image without altering the file on disk.
RHEL 10 and Debian 13 were reportedly exploitable with default settings because act_pedit was loadable and unprivileged user namespaces exposed the CAP_NET_ADMIN capability needed to trigger the bug.
Debian has patched trixie, while Red Hat lists RHEL 8, 9 and 10 as affected and Ubuntu still marks supported releases from 18.04 through 26.04 vulnerable as of June 25.
Admins are urged to install patched kernels and reboot; if patching must wait, blocking act_pedit or disabling unprivileged user namespaces can break the exploit chain, though integrity checks may still miss a compromised host.
After Dirty Pipe and pedit COW, how many more memory corruption flaws are lurking in the Linux kernel's core?
With exploits emerging in a day, can Linux security keep pace in an era of AI-driven vulnerability discovery?
Is the feature enabling rootless containers now the Linux kernel's biggest security liability?
CVE-2026-46331 ("pedit COW"): Anatomy, Exploitation, and Defense Against a Critical Linux Kernel Threat
Overview
On June 27, 2026, the 'pedit COW' vulnerability (CVE-2026-46331) was publicly disclosed as a critical Linux kernel bug, with a working exploit emerging the same day. This flaw quickly became a serious security concern because attackers can use it to gain root access without leaving traces on disk, making detection difficult. The vulnerability affects a wide range of Linux systems and demands immediate action, as standard patch cycles may be too slow to prevent exploitation. Organizations must urgently apply kernel patches and strengthen monitoring to defend against this stealthy and severe threat.