Exploit for CVE-2026-46331

Name: Exploit for CVE-2026-46331
Rating: 5 (8 reviews)
2026-06-30 | CVSS 7.8
## https://sploitus.com/exploit?id=8213BCAE-4E79-5E25-9642-230C8D3F7823
# CVE-2026-46331 pedit COW – Linux LPE Validation and auditd/AppArmor Detection

> Defensive validation report for CVE-2026-46331, focused on Linux kernel `act_pedit`, local privilege escalation behavior, auditd telemetry, AppArmor mitigation, and detection logic.

## Repository description

This repository contains defensive validation reports for **CVE-2026-46331 / pedit COW**, a Linux kernel local privilege escalation vulnerability related to `net/sched/act_pedit`.

The work documents a controlled lab validation on Ubuntu, including:

- pre-mitigation and post-mitigation behavior,
- auditd and AppArmor telemetry,
- kernel journal artifacts,
- detection logic for SOC/SIEM use cases,
- mitigation validation using `kernel.apparmor_restrict_unprivileged_unconfined=1`.

This repository does **not** provide exploit code. Its purpose is defensive analysis, detection engineering, vulnerability validation, and reporting.

## Reports

The reports are available in the [`/reports`](reports/) directory:

| Language | File |
|---|---|
| English | [`CVE-2026-46331_pedit_COW_auditd_EN.pdf`](reports/CVE-2026-46331_pedit_COW_auditd_EN.pdf) |
| Polish | [`CVE-2026-46331_pedit_COW_auditd_PL.pdf`](reports/CVE-2026-46331_pedit_COW_auditd_PL.pdf) |

## What was validated

The report documents whether the tested Ubuntu host met the conditions required for the local privilege escalation path, including:

- availability of the `act_pedit` kernel module,
- enabled unprivileged user namespaces,
- AppArmor user namespace restrictions,
- presence of unconfined AppArmor profiles relevant to the tested path,
- auditd visibility of namespace creation, netlink usage, `aa-exec`, and root process execution.

The lab also compares system behavior before and after enabling:

```text
kernel.apparmor_restrict_unprivileged_unconfined=1
```

## Detection focus

The main value of this repository is detection-oriented validation. The report focuses on correlation of multiple telemetry sources rather than a single indicator.

High-confidence behavioral sequence:

```text
unprivileged user
  -> namespace creation
  -> netlink socket usage
  -> aa-exec / AppArmor profile transition
  -> root_exec with euid=0
```

Useful auditd keys and indicators:

```text
ns_create
netlink_socket
apparmor_bypass_path
root_exec
tc action pedit offset out of bounds
AppArmor DENIED sys_admin/net_admin
```

The reports also include example detection logic for auditd, Splunk SPL, XQL, kernel journal, and AppArmor events.

## Repository structure

Current structure:

```text
.
├── README.md
└── reports/
    ├── CVE-2026-46331_pedit_COW_auditd_EN.pdf
    └── CVE-2026-46331_pedit_COW_auditd_PL.pdf
```

This is sufficient for the current scope. If detection rules are extracted into standalone files later, an optional `/detections` directory may be added:

```text
detections/
├── auditd.rules
├── splunk.spl
└── xql.xql
```

## Intended audience

This material may be useful for:

- vulnerability management teams,
- SOC analysts,
- detection engineers,
- Linux administrators,
- incident responders,
- security researchers working in controlled lab environments.

## Defensive use only

The material is intended for controlled validation, defensive detection development, and mitigation assessment. It must not be used to target systems without explicit authorization.

## Key takeaway

The tested mitigation reduced the practical impact of the tested exploitation path, but configuration mitigations should not be treated as a replacement for a kernel update. The recommended approach is to patch the kernel and maintain additional hardening where operationally possible.

## References

- NVD: CVE-2026-46331
- Ubuntu Security: CVE-2026-46331
- Ubuntu AppArmor user namespace restriction documentation
- The Hacker News coverage of pedit COW
- Red Hat CVE advisory