A newly disclosed Linux kernel vulnerability called pedit COW is giving attackers a fast path to root access by silently poisoning cached system binaries in memory without changing files stored on disk.
Quick Summary – TLDR:
- CVE-2026-46331 is a Linux kernel flaw that allows local users to gain root privileges.
- The bug corrupts the page cache in memory, making traditional file integrity checks ineffective.
- A working public exploit appeared just one day after the CVE was assigned.
- Systems running RHEL, Debian, and Ubuntu could be affected depending on their configuration.
What Happened?
Security researchers have disclosed a new Linux privilege escalation vulnerability named pedit COW, tracked as CVE-2026-46331. The flaw exists in the Linux kernel’s traffic control subsystem and can allow an unprivileged local user to gain full root access.
The vulnerability has drawn significant attention because a public proof of concept exploit was released almost immediately after the CVE became public, giving attackers a ready made method to compromise vulnerable systems.
🛑 A new #Linux kernel exploit (CVE-2026-46331) gets root without modifying a single file on disk.
— The Hacker News (@TheHackersNews) June 26, 2026
It poisons the cached copy of /bin/su in memory. The binary on disk stays untouched. File-integrity checks come back clean.
The root shell is already open.
Details here ↓… pic.twitter.com/Eea6P6n7ga
A Memory Corruption Bug With Serious Consequences
The issue resides in the kernel’s act_pedit packet editing function, which is used by Linux traffic control tools to rewrite packet headers.
According to researchers, the bug stems from an incorrect implementation of the kernel’s copy on write mechanism. The kernel calculates the writable memory range too early and fails to account for offsets that are determined during runtime.
As a result, the kernel writes data outside the intended memory area and into the shared page cache. This allows attackers to corrupt the in memory copy of a file while leaving the original file on disk untouched.
The public exploit specifically targets the cached version of /bin/su, a setuid root binary. Attackers inject a small payload into the cached image and then execute the modified binary to obtain a root shell.
Because the disk version of the file remains unchanged, standard integrity checks and file hashing tools may report that the system is clean even though the attacker has already gained administrator privileges.
Similar to Previous Linux Security Flaws
Researchers noted that pedit COW belongs to the same family of bugs as Dirty Pipe, Copy Fail, DirtyClone, and Dirty Frag.
All of these vulnerabilities involve situations where the kernel mistakenly writes to a memory page that it does not exclusively own, resulting in page cache corruption that can eventually lead to privilege escalation.
What makes pedit COW particularly concerning is its entry point. The exploit can be triggered from inside an unprivileged user namespace, giving attackers the networking capability needed to abuse the vulnerable code path.
Which Systems Are Affected?
The proof of concept has been successfully demonstrated on:
- RHEL 10.
- Debian 13 Trixie.
- Ubuntu 24.04, using an AppArmor bypass technique.
Researchers said Ubuntu 26.04 blocks the public exploit because of stronger AppArmor restrictions, although the underlying kernel remains vulnerable.
Several vendors have already released security updates.
Red Hat has issued patches for RHEL 8, RHEL 9, and RHEL 10, while Debian 13 has also received fixes through its security channel. However, Debian 11 and Debian 12 remain vulnerable at the time of writing.
Why Defenders Are Paying Attention?
The vulnerability highlights a growing challenge for security teams.
The patch for the bug reportedly appeared on the public netdev mailing list weeks before the CVE was assigned and was initially presented as a routine data corruption fix rather than a security issue.
By the time the vulnerability received a CVE identifier on June 16, a weaponized exploit was released within a day.
This sequence means many organizations relying solely on vulnerability scanners and security advisories may have had little warning before exploit code became publicly available.
What Organizations Should Do Now?
Security experts recommend installing a patched kernel and rebooting affected systems immediately.
If patching cannot be performed right away, organizations can:
- Disable the act_pedit module if it is not required.
- Restrict unprivileged user namespaces, though this may break rootless containers, development environments, and some browser sandboxes.
Experts also warn that simply clearing the page cache is not enough. If an attacker has already gained root access, the system should be treated as fully compromised and investigated accordingly.
SQ Magazine Takeaway
I think pedit COW is another reminder that Linux kernel bugs can become serious security threats long before they receive a CVE number or make headlines. The fact that attackers can gain root access while leaving files on disk untouched makes this flaw particularly dangerous. Organizations running shared servers, container platforms, and developer environments should move quickly because waiting for scanner signatures or routine patch cycles may simply be too late.
