Skip to content

OSG-SEC-2026-06-23 Important privilege escalation flaw in act_pedit

Dear OSG Security Contacts,

A privilege escalation flaw has been identified in the Linux kernel's act_pedit traffic control subsystem (CVE-2026-46331). Due to a missing bounds check, a local user may trigger an out-of-bounds write condition that corrupts memory. Successful exploitation could allow the attacker to obtain administrative (root) privileges on the affected system. A public exploit is available.

WHAT ARE THE VULNERABILITIES:

“In the Linux kernel, the following vulnerability has been resolved: net/sched: fix pedit partial COW leading to page cache corruption tcf_pedit_act() computes the COW range for skb_ensure_writable() once before the key loop using tcfp_off_max_hint, but the hint does not account for the runtime header offset added by typed keys. This can leave part of the write region un-COW'd. Fix by moving skb_ensure_writable() inside the per-key loop where the actual write offset is known, and add overflow checking on the offset arithmetic. For negative offsets (e.g. Ethernet header edits at ingress), use skb_cow() to COW the headroom instead. Guard offset_valid() against INT_MIN, where negation is undefined.” [2]

IMPACTED VERSIONS:

Affected kernel version ranges

According to the Linux CNA data and downstream trackers [3], the affected ranges are:

Affected Branch Vulnerable Versions 4.19 LTS 4.19.244 through < 4.20 5.4 LTS 5.4.195 through < 5.5 5.10 LTS 5.10.117 through < 5.11 5.15 LTS 5.15.41 through < 5.16 5.17 5.17.9 through < 5.18 Mainline 5.18 through 6.12.93 Mainline 6.13.x through 6.18.35 Mainline 6.19.x through 7.0.12

All Red Hat Enterprise Linux variants are affected. [1]

WHAT YOU SHOULD DO:

Patch affected systems as vendors release them.

MITIGATION

To mitigate this issue, block the affected act_pedit module. This prevents it from being automatically loaded at boot time.

Warning: This mitigation may not be suitable for systems that use tc pedit rules for traffic shaping or packet header rewriting. Please check to see if the blacklist-act-pedit.conf file exists before overwriting it. Run "lsmod | grep act_pedit" to check whether the module is currently in use.

echo "blacklist act_pedit" > /etc/modprobe.d/blacklist-act-pedit.conf

If the module is currently loaded, unload it or reboot for the block to take effect. For additional guidance for blocking kernel modules, see “How do I prevent a kernel module from being loaded automatically?” (https://access.redhat.com/solutions/41278). [1]

If user namespaces or network namespaces are disabled that would also protect against the current known public exploit. [4]

REFERENCES

[1] https://access.redhat.com/security/vulnerabilities/RHSB-2026-008
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-46331
[3] https://app.opencve.io/cve/CVE-2026-46331
[4] https://securityvulnerability.io/vulnerability/CVE-2026-46331

Please contact the OSG security team at [email protected] if you have any questions or concerns.
OSG Security Team