
CVE-2026-46331: Linux Kernel act_pedit — Local Root Escalation Risk (June 2026)
CVE-2026-46331 — Linux Kernel act_pedit
CVE-2026-46331 is a critical vulnerability in the Linux kernel’s traffic-control subsystem (act_pedit) that allows local unprivileged users to escalate privileges to root. The flaw is rated critical due to the availability of a public proof-of-concept exploit and the potential for rapid compromise across multi-tenant and shared environments.
Attack Vector
Attackers exploit this vulnerability by leveraging the act_pedit packet-editing action in conjunction with unprivileged user namespaces. The exploit poisons cached binaries in memory, granting a root shell without touching files on disk—thus bypassing file-integrity monitoring. Successful exploitation requires both the act_pedit kernel module and unprivileged user namespaces to be enabled. The exploit code was published publicly within 24 hours of CVE assignment, increasing the risk of widespread attacks.
Who Is at Risk
Red Hat, Debian, and Ubuntu distributions are confirmed affected. Any Linux system running a vulnerable kernel version with act_pedit and unprivileged user namespaces enabled is at risk. This includes multi-tenant hosts, CI/CD runners, Kubernetes worker nodes, and other shared compute environments. Systems exposed to untrusted local users or automation workloads are particularly vulnerable.
Patch & Mitigate
- Patch: Apply vendor kernel patches addressing CVE-2026-46331 as soon as available. Check your distribution’s security advisories for fixed versions.
- Workaround: If immediate patching is not possible, disable unprivileged user namespaces and unload or blacklist the act_pedit module to reduce exposure.
- Detect: Monitor for unusual invocations of act_pedit, unexpected privilege escalations, and anomalous process launches from unprivileged users. Review kernel logs for suspicious traffic-control subsystem activity.
MITRE ATT&CK
- TA0004 — Privilege Escalation: Attackers use this flaw to gain root access from unprivileged accounts.
- T1068 — Exploitation for Privilege Escalation: The vulnerability is exploited locally to elevate privileges.
Source: https://thehackernews.com/2026/06/new-linux-pedit-cow-exploit-enables.html
Start Your 14-Day Free Trial
Get curated cyber intelligence delivered to your inbox every morning at 6 AM. No credit card required.
Get Started Free

