Skip to content

Pedit COW Explained: The Linux Kernel Flaw Letting Local Users Become Root

A new Linux kernel vulnerability nicknamed “pedit COW” has become one of the biggest security stories of June 2026. Tracked as CVE-2026-46331, the bug lets an ordinary, unprivileged user on a Linux machine climb all the way to root — without ever touching a file on disk. A working exploit went public within a day of the CVE being assigned, which is why system administrators everywhere are scrambling to patch.

If you run Linux servers, containers, or shared hosting environments, here’s everything you need to know about pedit COW: what it is, why it’s dangerous, who it affects, and how to protect your systems right now.

What Is Pedit COW?

Pedit COW is a local privilege escalation (LPE) vulnerability in the Linux kernel’s traffic-control (tc) subsystem. Specifically, it lives inside a component called act_pedit, which is used to rewrite network packet headers on the fly.

The name comes from two technical pieces:

  • “pedit” — short for packet editing, the tc action responsible for modifying packet data as it flows through the kernel’s traffic-control framework.
  • “COW” — short for copy-on-write, the memory-sharing strategy the kernel uses to avoid duplicating data unnecessarily. Multiple processes share the same memory page until one of them needs to modify it — only then does the kernel create a private copy.

Pedit COW breaks that second mechanism. The kernel function responsible for editing packets, tcf_pedit_act(), calculates how much memory it needs to privatize before it knows the actual offsets it will write to. Some packet-editing operations only resolve their real write location while the code is already running, so the memory range the kernel “protected” turns out to be too small. The result is an out-of-bounds write that lands outside the privatized copy — directly into the shared page cache.

Because the page cache can back real files in memory, that stray write can corrupt the in-memory image of a legitimate file — including a setuid-root binary like /bin/su.

How the Exploit Works

The public proof-of-concept exploit follows a now-familiar pattern for this class of bug:

  1. An unprivileged user creates a user namespace, which grants them the CAP_NET_ADMIN capability inside that namespace — enough to configure tc traffic-control rules without needing real root access.
  2. The attacker sets up pedit rules that trigger the flawed offset calculation in tcf_pedit_act().
  3. The out-of-bounds write is aimed at the cached, in-memory copy of a setuid binary such as /bin/su, injecting a small malicious payload.
  4. The attacker executes the poisoned binary, which now runs with root privileges.

The entire attack happens in memory. The file on disk is never modified, which means traditional file-integrity monitoring tools won’t catch it — a root shell can be open on your system while every checksum still comes back clean.

Why Security Teams Are Worried

A few factors make pedit COW especially concerning:

  • It’s an N-day, not a same-day surprise. The underlying fix was quietly submitted to the kernel’s netdev mailing list as a routine data-corruption patch, with no CVE and no security framing attached. That means the exploitable detail sat in public view for weeks before most vendors and scanners caught up.
  • The exploit was weaponized almost instantly. A working, publicly available proof-of-concept appeared within roughly a day of the CVE being assigned.
  • It leaves no forensic trace on disk. Because the corruption lives only in RAM, standard file-integrity checks are blind to it.
  • It fits a recurring pattern. Pedit COW joins a growing family of page-cache corruption bugs — including Dirty Pipe, DirtyClone, and Dirty COW — where a kernel fast path writes into memory it doesn’t fully own.

Who Is Affected

Pedit COW impacts a broad swath of the Linux ecosystem:

  • Affected kernel versions: Linux v5.18 through v7.1-rc6. The bug was introduced by a specific kernel commit and fixed in v7.1-rc7.
  • Affected distributions: RHEL 8, 9, and 10; Debian 13 (“trixie”); and Ubuntu releases from 18.04 through 26.04, among others, depending on kernel version and configuration.
  • Two conditions must both be true for a system to be exploitable:
    1. The act_pedit kernel module can be loaded (often true by default, even via autoload).
    2. Unprivileged user namespaces are enabled — the default on many modern Ubuntu and Debian systems, though frequently restricted on RHEL.

The highest-risk environments are multi-user systems and container hosts — shared servers, CI/CD runners, hosting platforms, and Kubernetes nodes — anywhere untrusted code can already run as an unprivileged user. On these systems, pedit COW turns a minor foothold into full root compromise.

How to Patch and Mitigate Pedit COW

1. Patch the Kernel (Primary Fix)

The permanent fix is to update to a kernel version that includes the upstream patch for CVE-2026-46331:

  • Check your current kernel version with uname -r.
  • Compare it against the fixed version for your distribution (available via your vendor’s security advisory).
  • Apply the kernel update through your normal package manager and reboot, or apply a live patch if your environment supports one.

2. Temporary Mitigation: Block the act_pedit Module

If you don’t rely on tc pedit rules, you can prevent the vulnerable module from loading:

bash

# Check whether the module is currently loaded
lsmod | grep act_pedit

# Block it from loading
echo 'install act_pedit /bin/true' | sudo tee /etc/modprobe.d/disable-act_pedit.conf

# If already loaded, remove it (or reboot)
sudo rmmod act_pedit

3. Temporary Mitigation: Disable Unprivileged User Namespaces

This removes the capability the exploit depends on:

bash

# Debian / Ubuntu
sudo sysctl -w kernel.unprivileged_userns_clone=0

# RHEL and derivatives
sudo sysctl -w user.max_user_namespaces=0

Warning: Disabling unprivileged user namespaces can break rootless containers, some CI/CD sandboxes, and sandboxed browsers. Test this change carefully before rolling it out broadly.

4. If You Suspect Exploitation

Because the corruption lives in memory, you can clear a poisoned page cache by dropping it:

bash

echo 3 | sudo tee /proc/sys/vm/drop_caches

This is containment, not remediation — it removes the poisoned in-memory copy but does nothing to close a root shell an attacker may have already opened. If you have reason to believe a host was exploited, treat it as compromised and follow your incident response process.

Detection Tips

There’s no reliable after-the-fact signature for pedit COW, since it leaves nothing on disk. Still, a few things are worth watching for:

  • Unexpected loading of the act_pedit module on hosts that don’t normally do traffic-control packet editing.
  • Unusual tc command activity from users or processes that never configure networking.
  • Creation of unprivileged user namespaces shortly before execution of setuid binaries like su or sudo.
  • Shell execution immediately following traffic-control activity with no legitimate business reason.

Auditing tools like auditctl can help flag this activity:

bash

auditctl -w /sbin/tc -p x -k tc_exec
auditctl -w /usr/sbin/tc -p x -k tc_exec

Pedit COW vs. Dirty Pipe, DirtyClone, and Dirty COW

Pedit COW is part of a broader family of Linux kernel bugs that all share the same underlying shape: a kernel fast path writes into a memory page it doesn’t fully own, and the shared page cache absorbs the damage.

  • Dirty COW (2016) — one of the earliest and most famous examples of a race condition in the copy-on-write mechanism.
  • Dirty Pipe (2022) — allowed overwriting data in read-only files via a pipe-buffer flaw.
  • DirtyClone (CVE-2026-43503) — disclosed around the same time as pedit COW, this one lives in the helpers that handle skb fragment transfers in the ESP/XFRM input path, but leads to the same page-cache corruption outcome.

The entry point differs each time, but the impact is consistent: an unprivileged local user ends up with root.

Frequently Asked Questions

Is pedit COW remotely exploitable? No. It requires local access — the attacker must already be able to run unprivileged code on the target machine. The real danger comes when it’s chained with another vulnerability (a web shell, a compromised account, or a shared container) that provides that initial foothold.

Will antivirus or file-integrity monitoring catch it? Generally, no. The corruption happens in the page cache in RAM, not in the file on disk, so file-integrity tools typically report a clean result even while the system has been compromised.

What’s the single most important action to take? Patch your kernel. The mitigations (blocking act_pedit, disabling unprivileged user namespaces) are useful stopgaps, but only a kernel update fully closes the vulnerability.

Does this affect desktop Linux users? It can, though the risk is far higher on multi-user systems, shared hosting, and container platforms where untrusted users or workloads already run unprivileged code. A typical single-user desktop has a much smaller attack surface, but should still be patched.

Bottom Line

Pedit COW (CVE-2026-46331) is a serious reminder that “local-only” vulnerabilities can be just as dangerous as remote ones — especially in the multi-tenant, containerized infrastructure most organizations run today. The fix is straightforward: patch your kernel as soon as possible, and use the module-blocking and user-namespace mitigations as a bridge if you can’t patch immediately. Given how quickly a working exploit followed the CVE disclosure, treating this as a same-day priority — not a “next maintenance window” item — is the safest call.

What Are AI Agents

What Are AI Agents? A Simple Guide to 2026’s Biggest Tech Shift

If you’ve used ChatGPT or Claude, you already know what an AI chatbot does: you ask something,…

Is Public Wi-Fi Safe in 2026

Is Public Wi-Fi Safe in 2026? 7 Risks + Expert Safety Guide

Is public Wi-Fi safe in 2026? The honest answer: it’s safer than it was in 2020, but you’re still on…

Best Linux Distros for IoT in 2026

Best Linux Distros for IoT in 2026: Pi 5, RISC-V, and Edge AI Tested

 Linux powers 80% of Internet of Things devices shipped in the US, from your Home Assistant hub to industrial sensors at Ford plants. With Raspberry Pi 5, cheap RISC-V boards,…

best smart home gadgets under $50

Best Smart Home Gadgets Under $50 in 2026: 10 Picks That Are Actually Worth It

Smart home technology has a reputation for being expensive. And sure, a fully automated house with motorised blinds, a video doorbell on every door, and a $300 thermostat isn’t cheap.…