Skip to main content

Linux Kernel CVE-2026-46331

| EUVDEUVD-2026-37039 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-06-16 Linux GHSA-cr2w-747q-47qc
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local attacker needs privilege to create tc pedit rules (PR:L via CAP_NET_ADMIN, often reachable through user namespaces); kernel memory corruption yields high C/I/A with no user interaction.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 10:31 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 16, 2026 - 09:01 EUVD
CVE Published
Jun 16, 2026 - 06:26 cve.org
HIGH 7.8
CVE Published
Jun 16, 2026 - 06:26 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net/sched: fix pedit partial COW leading to page cache corruption

tcf_pedit_act() computes the COW range for skb_ensure_writable() once before the key loop using tcfp_off_max_hint, but the hint does not account for the runtime header offset added by typed keys. This can leave part of the write region un-COW'd.

Fix by moving skb_ensure_writable() inside the per-key loop where the actual write offset is known, and add overflow checking on the offset arithmetic. For negative offsets (e.g. Ethernet header edits at ingress), use skb_cow() to COW the headroom instead. Guard offset_valid() against INT_MIN, where negation is undefined.

AnalysisAI

Local privilege escalation potential in the Linux kernel's net/sched traffic-control subsystem arises from a partial copy-on-write (COW) miss in the pedit action (tcf_pedit_act), where skb_ensure_writable() is sized using tcfp_off_max_hint before the per-key loop and fails to account for the runtime header offset added by typed keys, leaving part of the write region un-COW'd and causing page cache corruption. A local low-privileged attacker able to install tc pedit rules (CAP_NET_ADMIN, obtainable in user namespaces on many distros) can corrupt shared page-cache memory, with CVSS 7.8 reflecting high confidentiality, integrity, and availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local access with CAP_NET_ADMIN
Delivery
Install tc pedit rule with typed keys
Exploit
Trigger header-offset beyond COW range
Execution
Cause partial-COW out-of-bounds write
Persist
Corrupt page-cache-backed kernel memory
Impact
Escalate privileges or crash host

Vulnerability AssessmentAI

Exploitation Exploitation requires LOCAL access and the ability to configure tc (traffic control) pedit actions, which depends on holding CAP_NET_ADMIN - directly as an admin, or as an unprivileged user only where unprivileged user namespaces are enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely consistent toward a moderate-but-real local risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker on a multi-tenant Linux host (or inside a container with an unprivileged user namespace granting CAP_NET_ADMIN) installs a tc pedit rule using typed keys whose runtime header offset extends beyond the precomputed COW range. Processing a packet triggers a write into incompletely-COW'd, page-cache-backed memory, corrupting shared kernel memory to cause denial of service or potentially escalate privileges. …
Remediation Patch available per vendor advisory - update to a Linux kernel that includes the fix commit 899ee91156e57784090c5565e4f31bd7dbffbc5a (and stable backports 2bec122b9fb91507a758ab5e3e5c4fbe7cb3f61b, 3dee9d0c198faeb95d052c1b94c2958751a28512, b198ed4e52580a7238c7c7082f03906f8b310313) by applying your distribution's latest kernel security update; the EUVD/NVD data points to fixed releases in the 4.19.244+, 5.4.195+, 5.10.117+, 5.15.41+, and 5.17.9+ stable series, but confirm the exact patched package version with your distro vendor before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify Linux systems with container support or namespace isolation and assess whether unprivileged users or workloads can install traffic-control rules. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46331 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy