AI Generated Image
New Linux pedit COW Exploit Enables Root Access by Poisoning Cached Binaries
The Hacker News • • technology
Key Points:
- A critical flaw (CVE-2026-46331, "pedit COW") in the Linux kernel's traffic-control subsystem allows local unprivileged users to gain root privileges by corrupting shared page-cache memory via the packet-editing action (act_pedit).
- The exploit modifies the cached in-memory copy of a setuid root binary without altering the file on disk, bypassing file-integrity checks while enabling a root shell.
- Successful exploitation requires act_pedit to be loadable and unprivileged user namespaces to be enabled, conditions met by default on tested RHEL 10 and Debian 13 systems; Ubuntu 26.04 restricts this path by default.
- Vendors have released patches for affected distributions, including Debian and Red Hat, and users are urged to update kernels and reboot, especially on multi-tenant or shared systems.
- Mitigations include disabling the act_pedit module or unprivileged user namespaces, but these may impact container and sandbox functionality; dropping page cache clears corrupted memory but does not remove an active root shell, so compromised hosts should be treated accordingly.
