## https://sploitus.com/exploit?id=BDDADE0B-C11C-55AD-AC1E-1C4477E65931
# ๐จ CVE-2026-46331 - Linux Kernel COW Bug
### Linux Kernel `net/sched` Partial Copy-on-Write (COW) Page Cache Corruption
-orange?style=for-the-badge)
*A Linux kernel vulnerability caused by incorrect Copy-on-Write (COW) handling in the traffic control (`tc`) packet editing subsystem.*
---
# ๐ Overview
**CVE-2026-46331** is a Linux kernel vulnerability affecting the **`net/sched` packet editing (`act_pedit`)** subsystem.
The vulnerability occurs because the kernel calculates the writable Copy-on-Write (COW) range **before** the actual packet-edit offset is known. When runtime header offsets are applied, portions of memory may remain writable without being copied, resulting in **page cache corruption**.
Under specific conditions, this corruption can become a powerful primitive for **local privilege escalation (LPE)** or kernel instability. :contentReference[oaicite:0]{index=0}
---
# ๐ Technical Details
## Vulnerable Component
```
Linux Kernel
โโโ net/
โโโ sched/
โโโ act_pedit.c
```
Affected function:
```c
tcf_pedit_act()
```
Problem:
```
skb_ensure_writable()
โ
โผ
Calculates writable range only once
โ
โผ
Runtime header offsets change later
โ
โผ
Memory outside COW region is modified
โ
โผ
Page Cache Corruption
```
---
# ๐ฅ Root Cause
The vulnerable implementation:
- Computes the writable region only once.
- Uses `tcfp_off_max_hint`.
- Does **not** account for runtime offsets introduced by typed packet-edit keys.
- Writes beyond the copied region.
This creates a partial Copy-on-Write condition that can corrupt cached kernel pages. :contentReference[oaicite:1]{index=1}
---
# โ ๏ธ Impact
Possible consequences include:
- Kernel memory corruption
- Page cache corruption
- System crashes
- Undefined kernel behavior
- Potential Local Privilege Escalation (LPE)
- Privileged code execution under favorable conditions :contentReference[oaicite:2]{index=2}
---
# ๐ฏ Attack Requirements
An attacker generally requires:
- Local code execution
- Ability to configure Linux Traffic Control (`tc`)
- `CAP_NET_ADMIN` (directly or through an unprivileged user namespace, depending on system configuration)
No remote attack vector has been described in the official advisory. :contentReference[oaicite:3]{index=3}
---
# ๐ธ Demo
---
# ๐ฆ Affected Component
```
Traffic Control (tc)
โ
act_pedit
โ
tcf_pedit_act()
โ
skb_ensure_writable()
โ
Partial COW
โ
Page Cache Corruption
```
---
# ๐ Fix
The upstream kernel patch:
- Moves `skb_ensure_writable()` inside the per-key processing loop.
- Uses the actual runtime write offset.
- Adds integer overflow validation.
- Uses `skb_cow()` for negative offsets.
- Prevents invalid offset arithmetic (`INT_MIN`). :contentReference[oaicite:4]{index=4}
---
# ๐ก Mitigation
- โ Update to a patched Linux kernel.
- โ Restrict `CAP_NET_ADMIN`.
- โ Disable unnecessary `tc` packet-edit rules.
- โ Limit unprivileged user namespaces where operationally appropriate.
- โ Reboot after installing the fixed kernel. :contentReference[oaicite:5]{index=5}
---
# ๐ Summary
| Field | Value |
|-------|-------|
| CVE | CVE-2026-46331 |
| Component | Linux Kernel `net/sched` |
| Module | `act_pedit` |
| Vulnerability | Partial Copy-on-Write |
| Impact | Page Cache Corruption |
| Possible Result | Kernel Memory Corruption / Potential LPE |
| Attack Vector | Local |
| Privileges Required | Typically `CAP_NET_ADMIN` |
| Fix Available | โ Yes |
---
# ๐ References
- NIST National Vulnerability Database :contentReference[oaicite:6]{index=6}
- Red Hat Security Advisory :contentReference[oaicite:7]{index=7}
- Ubuntu Security Notice :contentReference[oaicite:8]{index=8}
---
### โญ Stay Updated
Kernel vulnerabilities evolve rapidly.
Always keep your Linux kernel updated with the latest stable security patches.