Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-46331

CVE-2026-46331: Linux Kernel Privilege Escalation Flaw

CVE-2026-46331 is a privilege escalation vulnerability in the Linux kernel's net/sched component that can lead to page cache corruption. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-46331 Overview

CVE-2026-46331 is a Linux kernel vulnerability in the net/sched traffic control subsystem. The flaw resides in the tcf_pedit_act() function, which implements the pedit (packet edit) action used by tc filters. The function computes a copy-on-write (COW) range for skb_ensure_writable() once before the key loop using tcfp_off_max_hint, but the hint does not account for the runtime header offset added by typed keys. This can leave part of the write region un-COW'd, leading to page cache corruption when packet data is modified.

Critical Impact

Partial COW handling in pedit allows kernel writes to escape the copied region, corrupting shared page cache memory and risking system-wide data integrity issues.

Affected Products

  • Linux kernel net/sched subsystem (tc pedit action)
  • Stable kernel branches incorporating the tcf_pedit_act() typed key offset logic
  • Distributions shipping affected kernel revisions prior to backport of the upstream fix

Discovery Timeline

  • 2026-06-16 - CVE-2026-46331 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-46331

Vulnerability Analysis

The pedit action in the Linux kernel traffic control subsystem allows administrators to modify packet contents at runtime. The action operates on socket buffers (skb) and supports typed keys that target specific protocol headers, applying a header-relative offset computed at runtime.

The vulnerable implementation in tcf_pedit_act() invokes skb_ensure_writable() a single time before iterating over keys. The writable range is derived from tcfp_off_max_hint, a static hint computed without consideration for the dynamic header offset added when a typed key resolves its target. Subsequent writes inside the loop can therefore target memory outside the COW'd range, mutating bytes in a page that is still shared with the page cache. This results in page cache corruption affecting unrelated file-backed data.

Root Cause

The root cause is incorrect calculation of the writable region prior to per-key modifications. tcfp_off_max_hint reflects only statically known offsets and omits the runtime header offset applied to typed keys. The single pre-loop skb_ensure_writable() call therefore guarantees writability only for a subset of the actual write region. Negative offsets, such as those used to edit Ethernet headers on ingress, are not handled, and offset_valid() lacks protection against INT_MIN where negation is undefined behavior.

Attack Vector

The vulnerability is triggered through normal packet processing once a malicious or misconfigured pedit action is installed via the tc interface. Configuring pedit rules typically requires CAP_NET_ADMIN. Once installed, processing packets that match the filter causes the kernel to write outside the COW'd region, corrupting page cache pages backing files or other kernel structures sharing those pages.

No verified public exploit code is available. See the Kernel Git Commit for the patch and technical details.

Detection Methods for CVE-2026-46331

Indicators of Compromise

  • Unexpected file content corruption on hosts running tc pedit rules, particularly affecting recently read or cached files.
  • Kernel log entries referencing tcf_pedit_act or unusual skb_ensure_writable paths during heavy tc traffic processing.
  • Filesystem checksum mismatches on file-backed pages without corresponding disk I/O errors.

Detection Strategies

  • Audit installed tc filters for pedit actions using typed keys with non-zero header offsets, including negative offsets targeting Ethernet headers.
  • Monitor CAP_NET_ADMIN usage and tc configuration changes through kernel audit logs.
  • Compare running kernel versions against vendor advisories listing the upstream commit 899ee91156e5 as applied.

Monitoring Recommendations

  • Track tc filter and tc action modifications across production hosts and forward events to a centralized log store.
  • Alert on kernel oops, soft lockups, or memory corruption signatures occurring on hosts with active pedit rules.
  • Validate file integrity on critical paths using baseline hashes to identify silent page cache corruption.

How to Mitigate CVE-2026-46331

Immediate Actions Required

  • Apply the upstream kernel patch referenced by commit 899ee91156e57784090c5565e4f31bd7dbffbc5a or the corresponding distribution update.
  • Inventory hosts using tc pedit actions and prioritize patching on systems exposed to untrusted local users with CAP_NET_ADMIN.
  • Restrict the ability to install tc rules to trusted administrators only.

Patch Information

The fix moves skb_ensure_writable() inside the per-key loop where the actual write offset is known and adds overflow checking on the offset arithmetic. For negative offsets, such as Ethernet header edits at ingress, skb_cow() is used to COW the headroom. The offset_valid() helper is also guarded against INT_MIN to avoid undefined behavior from negation. The patch is available from the Kernel Git Commit.

Workarounds

  • Remove or avoid configuring tc pedit actions with typed keys until the patched kernel is deployed.
  • Limit CAP_NET_ADMIN to trusted accounts and revoke it from container workloads where possible.
  • Disable unprivileged user namespaces if local users could otherwise gain CAP_NET_ADMIN within a namespace.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne