It Rewrites /bin/su in the Page Cache and Hands You Root. CVE-2026-46331 Is the Second Universal Linux LPE This Quarter.

The dangerous Linux local privilege escalations are the ones that do not need a custom exploit per kernel version. The ones where a single proof of concept just works, across distributions, because the bug is in a subsystem everybody ships and the trigger is reachable by an ordinary user. CVE-2026-46331 is that kind.

The Bug, In Plain Terms

It lives in the kernel's traffic-control subsystem, specifically the pedit action — the piece of net/sched that lets you edit packet contents. Inside tcf_pedit_act(), the code calculates how much of a packet to make writable using a copy-on-write hint, and it does that calculation once, up front, before it loops over the individual edit keys.

The problem is that the hint does not account for the runtime header offset that typed keys introduce. So the actual write can land past the end of the region that was made writable. That is an out-of-bounds write — and because of how the copy-on-write page handling works here, it becomes corruption of page-cache memory. The kernel's cached copy of a file on disk gets modified by an attacker who should never have been able to touch it.

Why Page-Cache Corruption Is the Scary Version

Most LPE bugs give you a memory-corruption primitive and then you do a lot of work to turn that into code execution. This one skips the hard part. The public PoC poisons the cached copy of a setuid-root binary — /bin/su — directly in the page cache. It injects a small payload into that cached image, and then runs the altered binary. Because /bin/su is setuid root, the attacker's injected code runs as root. Clean, reliable, and conceptually simple once you have the write.

The author-verified PoC gives any local unprivileged user a turnkey path to a root shell, on any affected system where two conditions hold: the act_pedit action is loadable, and unprivileged user namespaces are available. The user namespace is what hands the attacker the CAP_NET_ADMIN capability — namespace-local — needed to reach the vulnerable traffic-control code in the first place.

The Timeline Is the Story

The CVE number was assigned by kernel.org on June 16, 2026 — and that assignment came weeks after the exploitable detail was already circulating publicly. The weaponized proof of concept dropped June 17, one day later.

That ordering is the pattern we have been hammering on all year. The defensive clock does not start when the CVE is assigned. It starts when the exploitable detail goes public, and on this one the detail was out in the open before the number existed. By the time most teams had a CVE to track in their vulnerability scanner, a working root exploit was already on the internet. The PoC-to-CVE gap collapsed to negative numbers.

This is also the second turnkey universal Linux LPE this quarter. CVE-2026-31431 — "Copy Fail" — gave the cloud a reliable nine-year-old root primitive back in April. Two universal local-root bugs in one subsystem-adjacent corner of the kernel in a single quarter is not bad luck. It is what happens when a complex, rarely-audited kernel surface meets a lot of fresh eyes.

What To Actually Do

Patch your kernel — that is the real fix, and the distributions have advisories out. But the high-leverage mitigation you can deploy today, before you reboot anything, is to close the precondition. If you do not need unprivileged user namespaces, disable them. Setting the user-namespace clone sysctl to off removes the CAP_NET_ADMIN path this exploit depends on, and it neuters a large category of LPE bugs beyond just this one. On a server fleet, unprivileged user namespaces are far more often an attack surface than a requirement.

Where we sit on this: our exploit harvester exists precisely for the day-zero-to-PoC window this CVE demonstrates — the gap where a working exploit is public and the CVE is fresh or not yet assigned. We are not going to claim a specific catch on this one that we have not verified in our own data. We are going to tell you the thing that is true regardless: the exploit is public, it is turnkey, it targets a default-reachable kernel surface, and the mitigation is one sysctl. Close the namespace, then patch the kernel.

Sources: Red Hat Customer Portal (RHSB-2026-008), TuxCare, The Hacker News (new-linux-pedit-cow-exploit), OpenCVE, Wiz Blog and Microsoft Security Blog (CVE-2026-31431 Copy Fail context).

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.