A new Linux kernel vulnerability nicknamed “pedit COW” has become one of the biggest security stories of June 2026. Tracked as CVE-2026-46331, the bug lets an ordinary, unprivileged user on a Linux machine climb all the way to root — without ever touching a file on disk. A working exploit went public within a day of the CVE being assigned, which is why system administrators everywhere are scrambling to patch.
If you run Linux servers, containers, or shared hosting environments, here’s everything you need to know about pedit COW: what it is, why it’s dangerous, who it affects, and how to protect your systems right now.
What Is Pedit COW?
Pedit COW is a local privilege escalation (LPE) vulnerability in the Linux kernel’s traffic-control (tc) subsystem. Specifically, it lives inside a component called act_pedit, which is used to rewrite network packet headers on the fly.
The name comes from two technical pieces:
- “pedit” — short for packet editing, the tc action responsible for modifying packet data as it flows through the kernel’s traffic-control framework.
- “COW” — short for copy-on-write, the memory-sharing strategy the kernel uses to avoid duplicating data unnecessarily. Multiple processes share the same memory page until one of them needs to modify it — only then does the kernel create a private copy.
Pedit COW breaks that second mechanism. The kernel function responsible for editing packets, tcf_pedit_act(), calculates how much memory it needs to privatize before it knows the actual offsets it will write to. Some packet-editing operations only resolve their real write location while the code is already running, so the memory range the kernel “protected” turns out to be too small. The result is an out-of-bounds write that lands outside the privatized copy — directly into the shared page cache.
Because the page cache can back real files in memory, that stray write can corrupt the in-memory image of a legitimate file — including a setuid-root binary like /bin/su.
How the Exploit Works
The public proof-of-concept exploit follows a now-familiar pattern for this class of bug:
- An unprivileged user creates a user namespace, which grants them the
CAP_NET_ADMINcapability inside that namespace — enough to configuretctraffic-control rules without needing real root access. - The attacker sets up
peditrules that trigger the flawed offset calculation intcf_pedit_act(). - The out-of-bounds write is aimed at the cached, in-memory copy of a setuid binary such as
/bin/su, injecting a small malicious payload. - The attacker executes the poisoned binary, which now runs with root privileges.
The entire attack happens in memory. The file on disk is never modified, which means traditional file-integrity monitoring tools won’t catch it — a root shell can be open on your system while every checksum still comes back clean.
Why Security Teams Are Worried
A few factors make pedit COW especially concerning:
- It’s an N-day, not a same-day surprise. The underlying fix was quietly submitted to the kernel’s netdev mailing list as a routine data-corruption patch, with no CVE and no security framing attached. That means the exploitable detail sat in public view for weeks before most vendors and scanners caught up.
- The exploit was weaponized almost instantly. A working, publicly available proof-of-concept appeared within roughly a day of the CVE being assigned.
- It leaves no forensic trace on disk. Because the corruption lives only in RAM, standard file-integrity checks are blind to it.
- It fits a recurring pattern. Pedit COW joins a growing family of page-cache corruption bugs — including Dirty Pipe, DirtyClone, and Dirty COW — where a kernel fast path writes into memory it doesn’t fully own.
Who Is Affected
Pedit COW impacts a broad swath of the Linux ecosystem:
- Affected kernel versions: Linux v5.18 through v7.1-rc6. The bug was introduced by a specific kernel commit and fixed in v7.1-rc7.
- Affected distributions: RHEL 8, 9, and 10; Debian 13 (“trixie”); and Ubuntu releases from 18.04 through 26.04, among others, depending on kernel version and configuration.
- Two conditions must both be true for a system to be exploitable:
- The
act_peditkernel module can be loaded (often true by default, even via autoload). - Unprivileged user namespaces are enabled — the default on many modern Ubuntu and Debian systems, though frequently restricted on RHEL.
- The
The highest-risk environments are multi-user systems and container hosts — shared servers, CI/CD runners, hosting platforms, and Kubernetes nodes — anywhere untrusted code can already run as an unprivileged user. On these systems, pedit COW turns a minor foothold into full root compromise.
How to Patch and Mitigate Pedit COW
1. Patch the Kernel (Primary Fix)
The permanent fix is to update to a kernel version that includes the upstream patch for CVE-2026-46331:
- Check your current kernel version with
uname -r. - Compare it against the fixed version for your distribution (available via your vendor’s security advisory).
- Apply the kernel update through your normal package manager and reboot, or apply a live patch if your environment supports one.
2. Temporary Mitigation: Block the act_pedit Module
If you don’t rely on tc pedit rules, you can prevent the vulnerable module from loading:
bash
# Check whether the module is currently loaded
lsmod | grep act_pedit
# Block it from loading
echo 'install act_pedit /bin/true' | sudo tee /etc/modprobe.d/disable-act_pedit.conf
# If already loaded, remove it (or reboot)
sudo rmmod act_pedit
3. Temporary Mitigation: Disable Unprivileged User Namespaces
This removes the capability the exploit depends on:
bash
# Debian / Ubuntu
sudo sysctl -w kernel.unprivileged_userns_clone=0
# RHEL and derivatives
sudo sysctl -w user.max_user_namespaces=0
Warning: Disabling unprivileged user namespaces can break rootless containers, some CI/CD sandboxes, and sandboxed browsers. Test this change carefully before rolling it out broadly.
4. If You Suspect Exploitation
Because the corruption lives in memory, you can clear a poisoned page cache by dropping it:
bash
echo 3 | sudo tee /proc/sys/vm/drop_caches
This is containment, not remediation — it removes the poisoned in-memory copy but does nothing to close a root shell an attacker may have already opened. If you have reason to believe a host was exploited, treat it as compromised and follow your incident response process.
Detection Tips
There’s no reliable after-the-fact signature for pedit COW, since it leaves nothing on disk. Still, a few things are worth watching for:
- Unexpected loading of the
act_peditmodule on hosts that don’t normally do traffic-control packet editing. - Unusual
tccommand activity from users or processes that never configure networking. - Creation of unprivileged user namespaces shortly before execution of setuid binaries like
suorsudo. - Shell execution immediately following traffic-control activity with no legitimate business reason.
Auditing tools like auditctl can help flag this activity:
bash
auditctl -w /sbin/tc -p x -k tc_exec
auditctl -w /usr/sbin/tc -p x -k tc_exec
Pedit COW vs. Dirty Pipe, DirtyClone, and Dirty COW
Pedit COW is part of a broader family of Linux kernel bugs that all share the same underlying shape: a kernel fast path writes into a memory page it doesn’t fully own, and the shared page cache absorbs the damage.
- Dirty COW (2016) — one of the earliest and most famous examples of a race condition in the copy-on-write mechanism.
- Dirty Pipe (2022) — allowed overwriting data in read-only files via a pipe-buffer flaw.
- DirtyClone (CVE-2026-43503) — disclosed around the same time as pedit COW, this one lives in the helpers that handle skb fragment transfers in the ESP/XFRM input path, but leads to the same page-cache corruption outcome.
The entry point differs each time, but the impact is consistent: an unprivileged local user ends up with root.
Frequently Asked Questions
Is pedit COW remotely exploitable? No. It requires local access — the attacker must already be able to run unprivileged code on the target machine. The real danger comes when it’s chained with another vulnerability (a web shell, a compromised account, or a shared container) that provides that initial foothold.
Will antivirus or file-integrity monitoring catch it? Generally, no. The corruption happens in the page cache in RAM, not in the file on disk, so file-integrity tools typically report a clean result even while the system has been compromised.
What’s the single most important action to take? Patch your kernel. The mitigations (blocking act_pedit, disabling unprivileged user namespaces) are useful stopgaps, but only a kernel update fully closes the vulnerability.
Does this affect desktop Linux users? It can, though the risk is far higher on multi-user systems, shared hosting, and container platforms where untrusted users or workloads already run unprivileged code. A typical single-user desktop has a much smaller attack surface, but should still be patched.
Bottom Line
Pedit COW (CVE-2026-46331) is a serious reminder that “local-only” vulnerabilities can be just as dangerous as remote ones — especially in the multi-tenant, containerized infrastructure most organizations run today. The fix is straightforward: patch your kernel as soon as possible, and use the module-blocking and user-namespace mitigations as a bridge if you can’t patch immediately. Given how quickly a working exploit followed the CVE disclosure, treating this as a same-day priority — not a “next maintenance window” item — is the safest call.
- Pedit COW Explained: The Linux Kernel Flaw Letting Local Users Become Root
A new Linux kernel vulnerability nicknamed “pedit COW” has become one of the biggest security stories of June 2026. Tracked as CVE-2026-46331, the bug lets an ordinary, unprivileged user on a Linux machine climb all the way to root — without ever touching a file on disk. A working exploit went public within a day… Read More »Pedit COW Explained: The Linux Kernel Flaw Letting Local Users Become Root - The AUR Malware Attack Exposed a Fact Most Arch Users Don’t Know
Here is something most Arch Linux users have never thought carefully about: the Arch User Repository — the AUR, the place millions of Arch users go to install software that isn’t in the official repos — has no code review process at all. Anyone can upload a package. Anyone can take over a package whose… Read More »The AUR Malware Attack Exposed a Fact Most Arch Users Don’t Know - Ctrl+C Ctrl+V Not Working in Terminal? Here’s Why (Linux)
Ctrl+C Ctrl+V not working in terminal is one of the most common points of confusion for anyone new to Linux — and if it’s happening to you, you are not doing anything wrong. This is not a bug. It’s a deliberate design decision that predates the keyboard shortcuts you’re used to by about 20 years.… Read More »Ctrl+C Ctrl+V Not Working in Terminal? Here’s Why (Linux) - Best Linux VPS Hosting in 2026 (Compared for Developers)
A Linux VPS gives you your own isolated slice of a physical server — dedicated RAM, guaranteed CPU, full root access, and the freedom to install exactly the stack you want. Best Linux VPS hosting in 2026 means more raw power per dollar than at any point before, with NVMe storage now standard across nearly… Read More »Best Linux VPS Hosting in 2026 (Compared for Developers) - Linux Kernel 7.1 Released — New NTFS Driver, Intel FRED, and What’s New
Published: June 18, 2026 | Released June 14, 2026 | Covers desktop, gaming, and server impact Linux Kernel 7.1 is here. Linus Torvalds tagged the release on June 14, 2026 — slightly ahead of schedule, fitting it in around travel plans — and it is a genuinely interesting mid-cycle release. Linux Kernel 7.1 pairs a… Read More »Linux Kernel 7.1 Released — New NTFS Driver, Intel FRED, and What’s New

What Are AI Agents? A Simple Guide to 2026’s Biggest Tech Shift
If you’ve used ChatGPT or Claude, you already know what an AI chatbot does: you ask something,…

Is Public Wi-Fi Safe in 2026? 7 Risks + Expert Safety Guide
Is public Wi-Fi safe in 2026? The honest answer: it’s safer than it was in 2020, but you’re still on…

Best Linux Distros for IoT in 2026: Pi 5, RISC-V, and Edge AI Tested
Linux powers 80% of Internet of Things devices shipped in the US, from your Home Assistant hub to industrial sensors at Ford plants. With Raspberry Pi 5, cheap RISC-V boards,…

Best Smart Home Gadgets Under $50 in 2026: 10 Picks That Are Actually Worth It
Smart home technology has a reputation for being expensive. And sure, a fully automated house with motorised blinds, a video doorbell on every door, and a $300 thermostat isn’t cheap.…




