New Critical Linux Vulnerability Enables Root Privilege Escalation

Source Domain: www.linkedin.com

A newly disclosed Linux kernel vulnerability, dubbed pedit COW, is giving threat actors a fast path to root access by silently poisoning cached system binaries in memory without modifying the files stored on disk.

Tracked as CVE-2026-46331 the flaw affects the Linux kernel’s traffic control (tc) subsystem and has rapidly become one of the most closely watched local privilege escalation vulnerabilities of 2026 following the release of a working proof-of-concept exploit shortly after public disclosure. Security researchers warn that systems allowing unprivileged user namespaces, combined with the vulnerable act_pedit kernel module, are particularly exposed.

Unlike many privilege escalation flaws that rely on overwriting binaries or exploiting race conditions in user space, pedit COW abuses a memory corruption bug inside the Linux kernel to modify the in-memory cached version of privileged executables. As a result, attackers can execute altered versions of setuid-root binaries while the original files remain untouched on disk, allowing conventional file integrity monitoring tools to report no signs of tampering despite the system already being compromised. Security researchers say the technique represents another evolution in a growing class of Linux page-cache corruption vulnerabilities that have emerged over recent years.

Vulnerability resides in Linux traffic control subsystem

The vulnerability exists within the Linux kernel’s networking stack, specifically the traffic control (tc) framework used to manage packet scheduling, shaping, filtering, and modification. One of tc’s features, known as pedit (packet editor), enables administrators to rewrite packet headers while traffic is in transit.
…

Source