New Linux pedit COW Exploit Allows Attackers to Gain System Root Access

HomeCyber Security New Linux pedit COW Exploit Allows Attackers to Gain System Root Access By Guru Baran June 26, 2026 A newly disclosed Linux kernel vulnerability combining a Copy-on-Write (COW) page-cache corruption flaw with the net/sched subsystem’s act_pedit component is enabling unprivileged local attackers to escalate privileges to full root access on several major Linux distributions. The exploit, dubbed packet_edit_meme, has been verified in June 2026 against actively maintained enterprise and consumer kernels. The root cause is a partial-COW page-cache corruption bug introduced in kernel commit 899ee91156e5, present across Linux kernel versions v5.18 through v7.1-rc6 and patched in v7.1-rc7. The flaw resides in the net/sched act_pedit subsystem, a traffic editing component of the Linux traffic control (tc) framework. The attack chain works by spawning a user namespace child process with CAP_NET_ADMIN capabilities — a permission reachable by unprivileged users on systems where unprivileged user namespaces are enabled by default. The exploit then leverages the COW corruption primitive to overwrite the page-cached ELF entry point of the setuid-root binary /bin/su, injecting shellcode that executes setgid(0) + setuid(0) + execve("/bin/sh") — delivering a root shell to the attacker. This is the fourth recent privilege escalation vulnerability disclosed in Linux systems. Vulnerability CVE Disclosed Subsystem Write Primitive Root Required? Copy Fail CVE-2026-31431 April 30, 2026 algif_aead (AF_ALG crypto) 4-byte page-cache write No DirtyFrag CVE-2026-43284 / CVE-2026-43500 May 8, 2026 IPsec ESP (xfrm) + RxRPC Full write primitive (chained) No Fragnesia CVE-2026-46300 May 14, 2026 XFRM ESP-in-TCP Arbitrary byte write No pedit COW CVE-2026-46331 June 26, 2026 net/sched act_pedit Out-of-bounds page-cache write No Affected Distributions Verified testing confirms exploitation success on multiple widely deployed distributions: Distribution Kernel Flag Result RHEL 10.0 6.12.0-228.el10 None ROOT Debian 13 (Trixie) 6.12.90+deb13.1 None ROOT Ubuntu 24.04.4 6.17.0-22 --ubuntu ROOT Ubuntu 26.04 7.0.0-14-generic --ubuntu FAIL RHEL and Debian are immediately vulnerable with no flags required, as both ship with unprivileged user namespaces open by default. Notably, RHEL lacks cls_basic and em_meta modules, but the exploit automatically falls back to matchall to deliver the same corruption primitive. Ubuntu enforces two sysctls that restrict unprivileged user namespace creation: kernel.apparmor_restrict_unprivileged_userns — blocks unconfined userns creation kernel.apparmor_restrict_unprivileged_unconfined — prevents aa-exec permissive profiles from shedding the restriction The --ubuntu flag re-executes the exploit via aa-exec using permissive profiles such as trinity, chrome, or flatpak — which carry a userns rule — effectively bypassing the AppArmor gate. This bypass works on Ubuntu 24.04.4 (unconfined=0) but is closed on Ubuntu 26.04 (unconfined=1), which tightens the restriction to block this re-execution path entirely. Mitigations Red Hat has published an official security bulletin at RHSB-2026-008. Administrators are strongly urged to apply kernel patches immediately, restrict unprivileged user namespace creation via sysctl where operationally feasible, and monitor for unexpected aa-exec invocations or namespace creation events. Organizations running kernels between v5.18 and v7.1-rc6 should treat this as a critical priority patch. What Features Should AI SOC Have? – Download Free 2026 AI SOC Features Checklist Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Browser-in-the-Browser Kit Uses Fake Software Errors to Deliver Malware Installers Anthropic’s Mythos AI Model Reportedly Breached NSA Classified Systems in Hours Cordyceps Supply Chain Flaw Impacting Code Repositories at thousands of Organizations Critical python.org Vulnerability Allowed Attackers to Forge Admin-Level API Requests Critical Webmin Vulnerabilities Allow Attackers to Impersonate as Any User Latest News Cyber Security Amazon Q Vulnerability Let Attackers Execute Code and Access Sensitive Cloud Environments Cyber Security New Bluekit Phishing-as-a-Service Bypasses MFA to Steal Microsoft Login Credentials Cyber Security News Hackers Exploit Weak Credentials and Internet-Facing PLCs to Breach Water Utilities Cyber Security News New GIFTEDCROOK Chain Abuses WinRAR ADS and Reflective Loading to Steal Browser Data Cyber Security News Hackers Leveraged Shopify Oder-Tracking App Shop to Push Fake Invoices