Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: act-pedit (1 article)Clear

New Linux kernel flaws give local users root by poisoning cached binaries

Researchers disclosed closely related Linux kernel flaws in the traffic-control subsystem that let an unprivileged local user gain root, and working exploits appeared within a day of disclosure. The main bug, nicknamed pedit COW (CVE-2026-46331), is an out-of-bounds write in the packet-editing action that corrupts shared page-cache memory; a related variant tracked as DirtyClone (CVE-2026-43503) was demonstrated by JFrog. Rather than touching files on disk, the exploit poisons the cached copy of a setuid root program like /bin/su in memory and runs the altered version as root, so file-integrity checks still pass. Exploitation needs the act_pedit module loadable and unprivileged user namespaces enabled, both common defaults on RHEL and Debian.

Check
Identify Linux systems running affected kernels, and check whether unprivileged user namespaces are enabled and whether the act_pedit traffic-control module can be loaded, the two conditions these exploits require.
Affected
Linux systems on affected kernels (CVE-2026-46331 and CVE-2026-43503), including default RHEL and Debian configurations, where any local user can escalate to root despite file-integrity checks passing.
Fix
Apply kernel updates from your distribution as they ship, and as interim hardening, disable unprivileged user namespaces and block loading of the act_pedit module where it is not needed.