Linux 'pedit COW' (CVE-2026-46331): Public Root Exploit Poisons Kernel Page Cache

A public, working exploit for CVE-2026-46331 — nicknamed "pedit COW" — is already in the wild. Any local unprivileged user on a vulnerable Linux system can use it to gain root. If you run Linux servers, this is not a "patch next cycle" situation.

What Happened

The bug lives in act_pedit, the packet-editing action module inside the Linux kernel's traffic-control (tc) subsystem. Researchers identified an out-of-bounds write that corrupts shared page-cache memory — the kernel's in-memory cache of file data shared across processes. The COW in the nickname is a nod to copy-on-write, the page-cache mechanism being abused.

According to The Hacker News, a proof-of-concept exploit is publicly available and confirmed working. The technique lets an unprivileged local user poison cached binaries held in the page cache; when one of those binaries is next executed by a privileged process, attacker-controlled code runs as root. No special capabilities or elevated privileges are required to trigger the initial write — a shell on the box is enough.

The traffic-control subsystem and act_pedit are present and active by default on the vast majority of Linux distributions.

Why It Matters

"Local privilege escalation" sounds contained, but the practical blast radius is wide:

• Shared and multi-tenant hosts: one compromised low-privilege account instantly becomes a root compromise of the entire machine.
• Post-exploitation chains: any attacker who lands initial foothold via web shell, leaked key, or RCE in a web app can immediately escalate. The gap between "in" and "owned" collapses.
• Container environments: depending on runtime configuration, the vulnerable kernel module may be reachable from inside a container, making this a potential host-escape primitive.
• Page-cache poisoning is stealthy: the modification targets files already in memory, not on disk, so filesystem-integrity checks that hash files from disk may not catch it.

The existence of a public, functional exploit eliminates any grace period. Exploitation does not require a sophisticated threat actor.

What To Do

1. Patch the kernel now. Check your distribution's security advisory feed for a fix tagged CVE-2026-46331. Ubuntu, Debian, RHEL, Fedora, and Arch all publish kernel security updates rapidly once a public exploit exists. Run your package manager and reboot — a kernel patch requires a reboot to take effect.

2. Prioritize high-risk hosts first. Systems with multiple local user accounts are the most directly exposed: shared dev servers, build boxes, CI/CD runners that execute arbitrary job code.

3. Review container security posture. If you run Docker, Podman, or Kubernetes, verify whether act_pedit is accessible from within your workloads. Dropping unnecessary kernel capabilities and applying restrictive seccomp profiles reduces exposure while you arrange patching.

4. Hunt for exploitation evidence. Review /var/log/auth.log or journalctl for unexpected privilege escalations, look for root-owned processes with unusual parent PIDs, and audit SUID binary modification timestamps.

5. Do not rely on blacklisting act_pedit as a permanent fix. Unloading the module may silently break legitimate traffic-shaping rules in production. A patched kernel is the only durable remediation.

Distribution patch pages and the upstream kernel security list are your authoritative sources for confirmed-fixed versions.