Emerging Threats

Linux Kernel Flaw Enables Unprivileged Root Access

Analyst 207||Source: TheHackerNews
Close-up of Linux workstation with terminal code and peripherals in a software development workspace.

"The exploit never touches the file on disk." That blunt sentence from the advisory captures the risk: a local, unprivileged user can gain root on vulnerable Linux hosts by corrupting an in-memory cached copy of a setuid binary and then executing it.

CVE-2026-46331: pedit COW and the page-cache poison

CVE-2026-46331, nicknamed "pedit COW," is an out‑of‑bounds write in the kernel's packet-editing action (act_pedit) that corrupts shared page-cache memory. The exploit targets the cached in‑memory image of a setuid root binary — the published proof‑of‑concept poisoned /bin/su — injects a small payload into that cached copy, and then runs the altered image as root. Because the attack modifies only the in‑memory page, the file on disk remains unchanged and file‑integrity checks will appear clean even while an attacker holds a root shell.

Exploit chain: act_pedit, unprivileged namespaces, and CAP_NET_ADMIN

The kernel function tcf_pedit_act() implements the pedit action for traffic control (tc). It follows a copy‑on‑write approach: it attempts to make a private copy of the packet data before editing. The bug arises because the code checks the writable range once, before final offsets are known; some offsets resolve only at runtime. When that happens, the kernel can write outside the private copy and instead modify a shared page‑cache page that may belong to a cached file.

Two conditions are required to turn that corruption into local privilege escalation: the act_pedit module must be loadable on the system, and unprivileged user namespaces must be enabled so an unprivileged user can obtain a namespace‑local CAP_NET_ADMIN capability to configure tc actions. The published proof‑of‑concept demonstrated unprivileged‑to‑root exploitation on RHEL 10 and Debian 13 (trixie) where those conditions were present.

Which distributions and releases are affected

  • Red Hat: RHEL 8, 9, and 10 are listed as affected; RHEL 7 is not listed in the vendor bulletin. Red Hat rates the flaw as important.
  • Debian: trixie (Debian 13) has been fixed through Debian's security channel. Debian 11 and 12 remain listed as vulnerable.
  • Ubuntu: as of June 25, Ubuntu lists supported releases from 18.04 through 26.04 as vulnerable. Practical exploitation on Ubuntu 24.04 required routing execution through AppArmor profiles that still permit user namespaces; Ubuntu 26.04 blocks that path by default because its AppArmor profiles restrict unprivileged user namespaces, although the underlying kernel remains vulnerable.

Immediate mitigations and operational steps

The authoritative mitigation is to install the patched kernel and reboot. Prioritize hosts where "local user" cannot be assumed trusted: multi‑tenant servers, CI/CD runners, Kubernetes nodes, build workers, and shared research or lab machines.

If patching is not immediately possible, two mitigations disrupt the exploit chain:

  • Prevent the act_pedit module from loading if your environment does not need tc pedit rules. First check whether the module is in use with: lsmod | grep act_pedit. To block loading, the advisory gives this option: echo 'install act_pedit /bin/true' | sudo tee /etc/modprobe.d/disable-act_pedit.conf.
  • Disable unprivileged user namespaces to remove the namespace‑local CAP_NET_ADMIN the exploit needs. Use the vendor‑specific sysctl: user.max_user_namespaces=0 on RHEL, or kernel.unprivileged_userns_clone=0 on Debian/Ubuntu. Note the tradeoffs: disabling unprivileged user namespaces breaks rootless containers, some CI sandboxes, and sandboxed browsers — test before deploying.

Because the overwrite targets cached memory, dropping the page cache will clear a poisoned in‑memory copy; for example: echo 3 > /proc/sys/vm/drop_caches. But that step alone does not remediate an active compromise: it does nothing for a root shell the attacker already opened. The advisory is explicit: treat the host as compromised if exploitation occurred.

Timeline and disclosure posture

The fix was merged and publicly posted to the netdev mailing list in late May as a routine data‑corruption patch; the exploitable detail remained on the public mailing list for weeks without a CVE or security warning. A CVE was assigned when the fix was merged on June 16, and a working, weaponized proof‑of‑concept appeared within a day. For kernel page‑cache corruption bugs, the advisory warns that "waiting for a scanner rule is too slow."

What this means for multi‑tenant hosts, CI/CD runners, and Kubernetes nodes

These environments are high priority because they commonly host untrusted users or workloads where "local user" privilege is effectively untrusted. Operators should prioritize patching and rebooting those systems first, or apply the module‑block and user‑namespace mitigations until kernels can be updated. Remember that disabling unprivileged namespaces will affect rootless container workflows and some sandboxing models — coordinate with developers and platform teams before applying broad sysctl changes.

The combination of a public patch before CVE assignment, a rapid public proof‑of‑concept, and an exploit that leaves disk images unchanged puts a premium on fast, kernel‑level response: patch, reboot, and assume compromise where evidence of exploitation exists. Original reporting: https://thehackernews.com/2026/06/new-linux-pedit-cow-exploit-enables.html

Emerging ThreatsLocal Privilege EscalationLinux VulnerabilityLinux Kernel FlawCVE-2026-46331Unprivileged Root AccessOut-of-Bounds WritePedit COWKernel Exploit
Related Intelligence

Continue Reading

Industrial control systems and server equipment in a brightly-lit manufacturing setting.

CISA Flags Exploited PTC Windchill Flaw Amid Web Shell Attacks

PTC has confirmed that attackers are exploiting a high-severity flaw, CVE-2026-12569, in its Windchill software to drop malicious web shells on vulnerable systems, allowing them to execute arbitrary code remotely. The company has reported heightened threat activity, urging users to take immediate action to protect themselves.

Analyst 207
Software development workspace with laptop, screens, and tools, hinting at network infrastructure.

Miasma Malware Poisons Over 20 npm Packages

In a lightning-fast attack, hackers poisoned over 20 npm packages with Miasma malware, completing the coordinated operation in under three seconds. The attackers compromised an npm maintainer account to publish tainted updates to popular packages.

Analyst 207
Developer workstation with laptop and subtle signs of supply chain breach.

Miasma Malware Targets npm, GitHub in Expanded Supply Chain Attack

Over 550 GitHub repositories have been compromised in a massive supply-chain attack, with malware harvesting developer credentials and spreading across package registries and workflows. The attack has already infected numerous npm packages and one Go module, putting developer data at risk.

Analyst 207
Southeast Asian cityscape with industrial control system hinted in background.

China-Linked Hackers Deploy TinyRCT Backdoor in Southeast Asian Infrastructure Attacks

For years, a stealthy China-linked hacking group has been quietly targeting critical infrastructure in Southeast Asia, with a clear strategic interest in disrupting or monitoring key regional industries. Their sophisticated attacks have zeroed in on state-owned energy and government sectors, using a potent tool called the TinyRCT backdoor.

Analyst 207