Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local attacker needs privilege to create tc pedit rules (PR:L via CAP_NET_ADMIN, often reachable through user namespaces); kernel memory corruption yields high C/I/A with no user interaction.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
net/sched: fix pedit partial COW leading to page cache corruption
tcf_pedit_act() computes the COW range for skb_ensure_writable() once before the key loop using tcfp_off_max_hint, but the hint does not account for the runtime header offset added by typed keys. This can leave part of the write region un-COW'd.
Fix by moving skb_ensure_writable() inside the per-key loop where the actual write offset is known, and add overflow checking on the offset arithmetic. For negative offsets (e.g. Ethernet header edits at ingress), use skb_cow() to COW the headroom instead. Guard offset_valid() against INT_MIN, where negation is undefined.
AnalysisAI
Local privilege escalation potential in the Linux kernel's net/sched traffic-control subsystem arises from a partial copy-on-write (COW) miss in the pedit action (tcf_pedit_act), where skb_ensure_writable() is sized using tcfp_off_max_hint before the per-key loop and fails to account for the runtime header offset added by typed keys, leaving part of the write region un-COW'd and causing page cache corruption. A local low-privileged attacker able to install tc pedit rules (CAP_NET_ADMIN, obtainable in user namespaces on many distros) can corrupt shared page-cache memory, with CVSS 7.8 reflecting high confidentiality, integrity, and availability impact. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires LOCAL access and the ability to configure tc (traffic control) pedit actions, which depends on holding CAP_NET_ADMIN - directly as an admin, or as an unprivileged user only where unprivileged user namespaces are enabled. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are largely consistent toward a moderate-but-real local risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local attacker on a multi-tenant Linux host (or inside a container with an unprivileged user namespace granting CAP_NET_ADMIN) installs a tc pedit rule using typed keys whose runtime header offset extends beyond the precomputed COW range. Processing a packet triggers a write into incompletely-COW'd, page-cache-backed memory, corrupting shared kernel memory to cause denial of service or potentially escalate privileges. … |
| Remediation | Patch available per vendor advisory - update to a Linux kernel that includes the fix commit 899ee91156e57784090c5565e4f31bd7dbffbc5a (and stable backports 2bec122b9fb91507a758ab5e3e5c4fbe7cb3f61b, 3dee9d0c198faeb95d052c1b94c2958751a28512, b198ed4e52580a7238c7c7082f03906f8b310313) by applying your distribution's latest kernel security update; the EUVD/NVD data points to fixed releases in the 4.19.244+, 5.4.195+, 5.10.117+, 5.15.41+, and 5.17.9+ stable series, but confirm the exact patched package version with your distro vendor before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify Linux systems with container support or namespace isolation and assess whether unprivileged users or workloads can install traffic-control rules. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37039
GHSA-cr2w-747q-47qc