{"id":282439,"date":"2026-06-26T09:00:00","date_gmt":"2026-06-26T13:00:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/06\/26\/new-linux-pedit-cow-exploit-enables-root-access-by-poisoning-cached-binaries\/"},"modified":"2026-06-26T09:30:53","modified_gmt":"2026-06-26T13:30:53","slug":"new-linux-pedit-cow-exploit-enables-root-access-by-poisoning-cached-binaries","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/06\/26\/new-linux-pedit-cow-exploit-enables-root-access-by-poisoning-cached-binaries\/","title":{"rendered":"New Linux pedit COW Exploit Enables Root Access by Poisoning Cached Binaries"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/new-linux-pedit-cow-exploit-enables.html\">New Linux pedit COW Exploit Enables Root Access by Poisoning Cached Binaries<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/new-linux-pedit-cow-exploit-enables.html\">https:\/\/thehackernews.com\/2026\/06\/new-linux-pedit-cow-exploit-enables.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-26 09:00:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p><span class=\"p-author\">\ue804<span class=\"author\">Swati Khandelwal<\/span>\ue802<span class=\"author\">Jun 26, 2026<\/span><\/span><span class=\"p-tags\">Linux \/ Vulnerability<\/span><\/p>\n<p>A flaw in the Linux kernel&#8217;s traffic-control subsystem can let a local unprivileged user gain root on affected systems.<\/p>\n<p>CVE-2026-46331, nicknamed &#8220;pedit COW,&#8221; is an out-of-bounds write in the packet-editing action (act_pedit) that corrupts shared page-cache memory. A\u00a0public, working exploit\u00a0appeared within a day of the CVE assignment on June 16. Red Hat\u00a0rates the flaw as important.<\/p>\n<p>The exploit never touches the file on disk. It poisons the cached copy of a setuid root binary (\/bin\/su) in memory, injects a small payload, and runs that altered image as root. File-integrity checks come back clean while a root shell is already open.<\/p>\n<p>The exploit needs two things:\u00a0act_pedit\u00a0being loadable and unprivileged user namespaces being open, giving the attacker a namespace-local networking capability (CAP_NET_ADMIN) needed to trigger the bug.<\/p>\n<p>On the tested RHEL and Debian targets, both conditions were present.<\/p>\n<h2>How the Bug Works<\/h2>\n<p>Linux&#8217;s\u00a0tc\u00a0traffic-control tool can rewrite packet headers in flight using an action called\u00a0pedit. The kernel function that does this,\u00a0tcf_pedit_act(), is supposed to make a private copy of the data before editing it, the standard copy-on-write pattern.<\/p>\n<p>It checked the writable range once, before the final offsets were known. Some edit keys only resolve their offset at runtime. When that happens, the write lands outside the privately copied region, so the kernel modifies a shared page-cache page instead of a private copy. If that page belongs to a cached file, the file&#8217;s in-memory image is corrupted.<\/p>\n<p>The pattern is familiar.\u00a0Dirty Pipe,\u00a0Copy Fail, DirtyClone, and\u00a0Dirty Frag\u00a0all share the same shape: a kernel fast path writes into a page it does not exclusively own, and the page cache takes the hit.<\/p>\n<p>What is new here is the entry point. An unprivileged user can configure\u00a0tc\u00a0actions from inside a user namespace, which gives them the\u00a0CAP_NET_ADMIN\u00a0that the exploit&#8230;<\/h2>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/new-linux-pedit-cow-exploit-enables.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>New Linux pedit COW Exploit Enables Root Access by Poisoning Cached Binaries https:\/\/thehackernews.com\/2026\/06\/new-linux-pedit-cow-exploit-enables.html Publish Date:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":282441,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj0PC1aWOiorYx2AGD7fl-IVefJBKPJvjy7sMo5MURoMlaq492QcSdpSqqdGZRZk3u3e6BMS7qVzrJXBuWk-kH4oRqQy1cHTxkvHBLMMbllF9R_rNqL618rz5zEV_FfOvE0_YQgI-VVWbVX772Bc72qSphwMK-TtOAoZ5A9swYpvSNYsFfdR17i8AAXXzDZ\/s1600\/linux-hack.jpg","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[90,91,31,89,71,94,27],"class_list":["post-282439","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-cve","tag-debian","tag-exploit","tag-flaw","tag-linux","tag-red-hat-enterprise-linux","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/282439"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=282439"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/282439\/revisions"}],"predecessor-version":[{"id":282444,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/282439\/revisions\/282444"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/282441"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=282439"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=282439"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=282439"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}