A high-severity Linux kernel vulnerability designated CVE-2026-46331 and tracked as “pedit COW” allows any low-privileged local user to corrupt shared page-cache memory and escalate privileges to root. Red Hat, Ubuntu, and Debian have confirmed the flaw affects their current supported releases and are issuing patched kernels.
The vulnerability exists in the kernel’s traffic-control subsystem, specifically in the tcf_pedit_act() function responsible for editing packet headers during network traffic processing. The function performs a copy-on-write range check before writing, but resolves final byte offsets at runtime. When those runtime offsets fall outside the previously validated range, writes land in shared page-cache memory rather than in the private copy, corrupting cached binaries and opening a path to privilege escalation. Ubuntu rates the flaw CVSS 8.5 High with local low-privilege access required. Affected distributions include RHEL 8, 9, and 10; Ubuntu 18.04 through 26.04; and Debian 11, 12, and 13.
Why it matters: The environments affected are those most common in enterprise infrastructure and cloud workloads. Multi-tenant systems, CI/CD build runners, and Kubernetes nodes present the highest risk because they combine shared kernel access with unprivileged user processes. An attacker who gains any initial foothold at low privilege, whether through a compromised build dependency, a misconfigured container escape, or a phishing-delivered payload, can use CVE-2026-46331 as a reliable local escalation path to full system control. The CIFSwitch root escalation flaw reported earlier this year followed the same pattern across enterprise Linux distributions. The recurrence of high-severity kernel privilege escalation vulnerabilities in networking subsystems underscores the importance of treating kernel patching on the same priority cadence as critical application vulnerabilities.
What defenders should do: Apply the patched kernel package for your distribution and reboot the host. Prioritize multi-tenant hosts, CI/CD runners, and Kubernetes nodes first. If immediate patching is not possible, block the act_pedit kernel module using a modprobe configuration entry to prevent loading. Disabling unprivileged user namespaces also mitigates the underlying issue but may disrupt rootless container workloads; test the impact in your environment before broad deployment. Per Ubuntu’s advisory, treat any host where unprivileged users had access during the vulnerability window as potentially compromised, even if file-integrity checks return clean results.