Cybersecurity Announcement: Linux Kernel Privilege Escalation to Root Vulnerability - "pedit COW"

This document is the cybersecurity announcement for the pedit COW Linux LPE vulnerability.

About the Event

pedit COW is a Linux LPE vulnerability which targets the Linux tc traffic control tool (CVE-2026-46331). It abuses page caching to achieve root access.

Actions to Consider

This attack is similar to Copy-Fail. As it is a consistent Local Privilege Escalation (LPE), no race condition is necessary. Cybersecurity recommends Linux administrators evaluate their risks and follow this guidance for patching and, if necessary, temporary mitigation:

Patching

Debian has fixed trixie through its security channel. Debian 11 and 12 are still listed as vulnerable.
Ubuntu lists supported releases from 18.04 through 26.04 as vulnerable as of June 25.
Red Hat lists RHEL 8, 9, and 10 as affected; RHEL 7 is not listed in the bulletin.

Mitigation

If you cannot patch yet, two mitigations kill the exploit chain. On systems that do not need tc pedit rules, check whether the module is in use (lsmod | grep act_pedit), then block it from loading:

echo 'install act_pedit /bin/true' | sudo tee /etc/modprobe.d/disable-act_pedit.conf

Alternatively, disable unprivileged user namespaces (user.max_user_namespaces=0 on RHEL, kernel.unprivileged_userns_clone=0 on Debian/Ubuntu). That removes the namespace-local capability the exploit needs, but it breaks rootless containers, some CI sandboxes, and sandboxed browsers. Test first.

If you believe you may have been compromised please contact the Office of Cybersecurity at cybersecurity@cio.wisc.edu.

Event Impact

Any local unprivileged user would be able to obtain root-level access resulting in a full system takeover. Proof of concept code is already publicly available. However, there are no reports of it being exploited in the wild.

This vulnerability affects most recent Linux versions released since 2017, including kernel 7.0.4.. However, there are some variations depending on the distribution, as follows:

Unprivileged-to-root on RHEL 10 and Debian 13 (trixie) have been reported as vulnerable, where unprivileged user namespaces are open by default.
Ubuntu 24.04 required routing execution through AppArmor profiles that still permit user namespaces.
Ubuntu 26.04 blocks that path by default because its AppArmor profiles restrict unprivileged user namespaces, though the underlying kernel remains vulnerable.

References

New Linux pedit COW Exploit Enables Root Access by Poisoning Cached Binaries

https://github.com/sgkdev/packet_edit_meme

https://git.doit.wisc.edu/engr/cae/public-tools/cve-2026-46331-mitigations (Requires NetID auth)

↑ Up: Linux Kernel Privilege Escalation to Root Vulnerabilities Tracker

Keywords:

Linux LPE local privilege escalation copy fail pedit COW

Doc ID:

162352

Owned by:

Jamie G. in Cybersecurity Testing and Cyber Defense

Created:

2026-06-30

Updated:

2026-06-30

Sites:

Cybersecurity Testing and Cyber Defense, Cybersecurity Vulnerablity Management

0 0 Comment Suggest new doc