Back to Blog
CVE-2026-46331: Linux Kernel act_pedit — Local Root Escalation Risk (June 2026)
vulnerabilities

CVE-2026-46331: Linux Kernel act_pedit — Local Root Escalation Risk (June 2026)

breachwire TeamJun 30, 20262 min read

CVE-2026-46331 — Linux Kernel act_pedit

CVE-2026-46331 is a critical vulnerability in the Linux kernel’s traffic-control subsystem (act_pedit) that allows local unprivileged users to escalate privileges to root. The flaw is rated critical due to the availability of a public proof-of-concept exploit and the potential for rapid compromise across multi-tenant and shared environments.

Attack Vector

Attackers exploit this vulnerability by leveraging the act_pedit packet-editing action in conjunction with unprivileged user namespaces. The exploit poisons cached binaries in memory, granting a root shell without touching files on disk—thus bypassing file-integrity monitoring. Successful exploitation requires both the act_pedit kernel module and unprivileged user namespaces to be enabled. The exploit code was published publicly within 24 hours of CVE assignment, increasing the risk of widespread attacks.

Who Is at Risk

Red Hat, Debian, and Ubuntu distributions are confirmed affected. Any Linux system running a vulnerable kernel version with act_pedit and unprivileged user namespaces enabled is at risk. This includes multi-tenant hosts, CI/CD runners, Kubernetes worker nodes, and other shared compute environments. Systems exposed to untrusted local users or automation workloads are particularly vulnerable.

Patch & Mitigate

  • Patch: Apply vendor kernel patches addressing CVE-2026-46331 as soon as available. Check your distribution’s security advisories for fixed versions.
  • Workaround: If immediate patching is not possible, disable unprivileged user namespaces and unload or blacklist the act_pedit module to reduce exposure.
  • Detect: Monitor for unusual invocations of act_pedit, unexpected privilege escalations, and anomalous process launches from unprivileged users. Review kernel logs for suspicious traffic-control subsystem activity.

MITRE ATT&CK

  • TA0004 — Privilege Escalation: Attackers use this flaw to gain root access from unprivileged accounts.
  • T1068 — Exploitation for Privilege Escalation: The vulnerability is exploited locally to elevate privileges.

Source: https://thehackernews.com/2026/06/new-linux-pedit-cow-exploit-enables.html

Start Your 14-Day Free Trial

Get curated cyber intelligence delivered to your inbox every morning at 6 AM. No credit card required.

Get Started Free
Share this article: