Skip to main content

Linux Kernel EUVDEUVD-2026-37039

| CVE-2026-46331 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-06-16 Linux GHSA-cr2w-747q-47qc
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local attacker needs privilege to create tc pedit rules (PR:L via CAP_NET_ADMIN, often reachable through user namespaces); kernel memory corruption yields high C/I/A with no user interaction.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 10:31 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 16, 2026 - 09:01 EUVD
CVE Published
Jun 16, 2026 - 06:26 cve.org
HIGH 7.8
CVE Published
Jun 16, 2026 - 06:26 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net/sched: fix pedit partial COW leading to page cache corruption

tcf_pedit_act() computes the COW range for skb_ensure_writable() once before the key loop using tcfp_off_max_hint, but the hint does not account for the runtime header offset added by typed keys. This can leave part of the write region un-COW'd.

Fix by moving skb_ensure_writable() inside the per-key loop where the actual write offset is known, and add overflow checking on the offset arithmetic. For negative offsets (e.g. Ethernet header edits at ingress), use skb_cow() to COW the headroom instead. Guard offset_valid() against INT_MIN, where negation is undefined.

AnalysisAI

Local privilege escalation potential in the Linux kernel's net/sched traffic-control subsystem arises from a partial copy-on-write (COW) miss in the pedit action (tcf_pedit_act), where skb_ensure_writable() is sized using tcfp_off_max_hint before the per-key loop and fails to account for the runtime header offset added by typed keys, leaving part of the write region un-COW'd and causing page cache corruption. A local low-privileged attacker able to install tc pedit rules (CAP_NET_ADMIN, obtainable in user namespaces on many distros) can corrupt shared page-cache memory, with CVSS 7.8 reflecting high confidentiality, integrity, and availability impact. Publicly available exploit code exists, though EPSS is low at 0.14% (4th percentile) and the issue is not on CISA KEV.

Technical ContextAI

The flaw lives in the kernel packet-mangling path of the traffic control (tc) framework, specifically the pedit (packet editor) action implemented in net/sched/act_pedit.c. tcf_pedit_act() must ensure the socket buffer (skb) region it is about to modify is writable via a copy-on-write, but it computed that range only once using tcfp_off_max_hint, which ignores the additional header offset that typed keys (e.g., editing within the Ethernet/IP/transport headers) inject at runtime. The result is an out-of-bounds / incompletely-COW'd write into memory that may still be shared via the page cache - a buffer overflow class issue (the supplied Tags label it 'Buffer Overflow'; root cause aligns with CWE-787 out-of-bounds write and improper COW handling). The fix relocates skb_ensure_writable() inside the per-key loop where the true write offset is known, adds overflow checks on offset arithmetic, uses skb_cow() for negative offsets (e.g., ingress Ethernet header edits) to COW the headroom, and guards offset_valid() against INT_MIN where negation is undefined. CPE data identifies the affected product as the Linux kernel (cpe:2.3:a:linux:linux:*).

RemediationAI

Patch available per vendor advisory - update to a Linux kernel that includes the fix commit 899ee91156e57784090c5565e4f31bd7dbffbc5a (and stable backports 2bec122b9fb91507a758ab5e3e5c4fbe7cb3f61b, 3dee9d0c198faeb95d052c1b94c2958751a28512, b198ed4e52580a7238c7c7082f03906f8b310313) by applying your distribution's latest kernel security update; the EUVD/NVD data points to fixed releases in the 4.19.244+, 5.4.195+, 5.10.117+, 5.15.41+, and 5.17.9+ stable series, but confirm the exact patched package version with your distro vendor before deploying. Where immediate patching is not possible, reduce exposure by preventing untrusted users from creating tc pedit rules: disable unprivileged user namespaces (sysctl kernel.unprivileged_userns_clone=0 or user.max_user_namespaces=0) so unprivileged processes cannot obtain CAP_NET_ADMIN - note this can break sandboxes/containers that rely on user namespaces; and restrict CAP_NET_ADMIN to trusted administrators only. Track advisories at https://nvd.nist.gov/vuln/detail/CVE-2026-46331 and https://vuldb.com/vuln/371261. Do not rely solely on these workarounds for multi-tenant or container hosts where local users are inherently untrusted.

Share

EUVD-2026-37039 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy