Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local attacker needs privilege to create tc pedit rules (PR:L via CAP_NET_ADMIN, often reachable through user namespaces); kernel memory corruption yields high C/I/A with no user interaction.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
net/sched: fix pedit partial COW leading to page cache corruption
tcf_pedit_act() computes the COW range for skb_ensure_writable() once before the key loop using tcfp_off_max_hint, but the hint does not account for the runtime header offset added by typed keys. This can leave part of the write region un-COW'd.
Fix by moving skb_ensure_writable() inside the per-key loop where the actual write offset is known, and add overflow checking on the offset arithmetic. For negative offsets (e.g. Ethernet header edits at ingress), use skb_cow() to COW the headroom instead. Guard offset_valid() against INT_MIN, where negation is undefined.
AnalysisAI
Local privilege escalation potential in the Linux kernel's net/sched traffic-control subsystem arises from a partial copy-on-write (COW) miss in the pedit action (tcf_pedit_act), where skb_ensure_writable() is sized using tcfp_off_max_hint before the per-key loop and fails to account for the runtime header offset added by typed keys, leaving part of the write region un-COW'd and causing page cache corruption. A local low-privileged attacker able to install tc pedit rules (CAP_NET_ADMIN, obtainable in user namespaces on many distros) can corrupt shared page-cache memory, with CVSS 7.8 reflecting high confidentiality, integrity, and availability impact. Publicly available exploit code exists, though EPSS is low at 0.14% (4th percentile) and the issue is not on CISA KEV.
Technical ContextAI
The flaw lives in the kernel packet-mangling path of the traffic control (tc) framework, specifically the pedit (packet editor) action implemented in net/sched/act_pedit.c. tcf_pedit_act() must ensure the socket buffer (skb) region it is about to modify is writable via a copy-on-write, but it computed that range only once using tcfp_off_max_hint, which ignores the additional header offset that typed keys (e.g., editing within the Ethernet/IP/transport headers) inject at runtime. The result is an out-of-bounds / incompletely-COW'd write into memory that may still be shared via the page cache - a buffer overflow class issue (the supplied Tags label it 'Buffer Overflow'; root cause aligns with CWE-787 out-of-bounds write and improper COW handling). The fix relocates skb_ensure_writable() inside the per-key loop where the true write offset is known, adds overflow checks on offset arithmetic, uses skb_cow() for negative offsets (e.g., ingress Ethernet header edits) to COW the headroom, and guards offset_valid() against INT_MIN where negation is undefined. CPE data identifies the affected product as the Linux kernel (cpe:2.3:a:linux:linux:*).
RemediationAI
Patch available per vendor advisory - update to a Linux kernel that includes the fix commit 899ee91156e57784090c5565e4f31bd7dbffbc5a (and stable backports 2bec122b9fb91507a758ab5e3e5c4fbe7cb3f61b, 3dee9d0c198faeb95d052c1b94c2958751a28512, b198ed4e52580a7238c7c7082f03906f8b310313) by applying your distribution's latest kernel security update; the EUVD/NVD data points to fixed releases in the 4.19.244+, 5.4.195+, 5.10.117+, 5.15.41+, and 5.17.9+ stable series, but confirm the exact patched package version with your distro vendor before deploying. Where immediate patching is not possible, reduce exposure by preventing untrusted users from creating tc pedit rules: disable unprivileged user namespaces (sysctl kernel.unprivileged_userns_clone=0 or user.max_user_namespaces=0) so unprivileged processes cannot obtain CAP_NET_ADMIN - note this can break sandboxes/containers that rely on user namespaces; and restrict CAP_NET_ADMIN to trusted administrators only. Track advisories at https://nvd.nist.gov/vuln/detail/CVE-2026-46331 and https://vuldb.com/vuln/371261. Do not rely solely on these workarounds for multi-tenant or container hosts where local users are inherently untrusted.
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37039
GHSA-cr2w-747q-47qc