A newly disclosed Linux kernel vulnerability combining a Copy-on-Write (COW) page-cache corruption flaw with the net/sched subsystem’s act_pedit component is enabling unprivileged local attackers to escalate privileges to full root access on several major Linux distributions.
The exploit, dubbed packet_edit_meme, has been verified in June 2026 against actively maintained enterprise and consumer kernels.
The root cause is a partial-COW page-cache corruption bug introduced in kernel commit 899ee91156e5, present across Linux kernel versions v5.18 through v7.1-rc6 and patched in v7.1-rc7. The flaw resides in the net/sched act_pedit subsystem, a traffic editing component of the Linux traffic control (tc) framework.
The attack chain works by spawning a user namespace child process with CAP_NET_ADMIN capabilities — a permission reachable by unprivileged users on systems where unprivileged user namespaces are enabled by default.
The exploit then leverages the COW corruption primitive to overwrite the page-cached ELF entry point of the setuid-root binary /bin/su, injecting shellcode that executes setgid(0) + setuid(0) + execve(“/bin/sh”) — delivering a root shell to the attacker.
This is the fourth recent privilege escalation vulnerability disclosed in Linux systems.
VulnerabilityCVEDisclosedSubsystemWrite PrimitiveRoot Required?Copy FailCVE-2026-31431April 30, 2026algif_aead (AF_ALG crypto)4-byte page-cache writeNoDirtyFragCVE-2026-43284 / CVE-2026-43500May 8, 2026IPsec ESP (xfrm) + RxRPCFull write primitive (chained)NoFragnesiaCVE-2026-46300May 14, 2026XFRM ESP-in-TCPArbitrary byte writeNopedit COWCVE-2026-46331June 26, 2026net/sched act_peditOut-of-bounds page-cache writeNo
Affected Distributions
Verified testing confirms exploitation success on multiple widely deployed distributions:
DistributionKernelFlagResultRHEL 10.06.12.0-228.el10NoneROOTDebian 13 (Trixie)6.12.90+deb13.1NoneROOTUbuntu 24.04.46.17.0-22–ubuntuROOTUbuntu 26.047.0.0-14-generic–ubuntuFAIL
RHEL and Debian are immediately vulnerable with no flags required, as both ship with unprivileged user namespaces open by default. Notably, RHEL lacks cls_basic and em_meta modules, but the exploit automatically falls back to matchall to deliver the same corruption primitive.
Ubuntu enforces two sysctls that restrict unprivileged user namespace creation:
kernel.apparmor_restrict_unprivileged_userns — blocks unconfined userns creation
kernel.apparmor_restrict_unprivileged_unconfined — prevents aa-exec permissive profiles from shedding the restriction
The –ubuntu flag re-executes the exploit via aa-exec using permissive profiles such as trinity, chrome, or flatpak — which carry a userns rule — effectively bypassing the AppArmor gate.
This bypass works on Ubuntu 24.04.4 (unconfined=0) but is closed on Ubuntu 26.04 (unconfined=1), which tightens the restriction to block this re-execution path entirely.
Mitigations
Red Hat has published an official security bulletin at RHSB-2026-008. Administrators are strongly urged to apply kernel patches immediately, restrict unprivileged user namespace creation via sysctl where operationally feasible, and monitor for unexpected aa-exec invocations or namespace creation events.
Organizations running kernels between v5.18 and v7.1-rc6 should treat this as a critical priority patch.
What Features Should AI SOC Have? – Download Free 2026 AI SOC Features Checklist
The post New Linux pedit COW Exploit Allows Attackers to Gain System Root Access appeared first on Cyber Security News.
