A newly disclosed Linux kernel vulnerability combining a Copy-on-Write (COW) page-cache corruption flaw with the net/sched subsystem’s act_pedit component is enabling unprivileged local attackers to escalate privileges to full root access on several major Linux distributions.
The exploit, dubbed packet_edit_meme, has been verified in June 2026 against actively maintained enterprise and consumer kernels.
The root cause is a partial-COW page-cache corruption bug introduced in kernel commit 899ee91156e5, present across Linux kernel versions v5.18 through v7.1-rc6 and patched in v7.1-rc7. The flaw resides in the net/sched act_pedit subsystem, a traffic editing component of the Linux traffic control (tc) framework.
The attack chain works by spawning a user namespace child process with CAP_NET_ADMIN capabilities — a permission reachable by unprivileged users on systems where unprivileged user namespaces are enabled by default.
The exploit then leverages the COW corruption primitive to overwrite the page-cached ELF entry point of the setuid-root binary /bin/su, injecting shellcode that executes setgid(0) + setuid(0) + execve("/bin/sh") — delivering a root shell to the attacker.
This is the fourth recent privilege escalation vulnerability disclosed in Linux systems.
| Vulnerability | CVE | Disclosed | Subsystem | Write Primitive | Root Required? |
|---|---|---|---|---|---|
| Copy Fail | CVE-2026-31431 | April 30, 2026 | algif_aead (AF_ALG crypto) | 4-byte page-cache write | No |
| DirtyFrag | CVE-2026-43284 / CVE-2026-43500 | May 8, 2026 | IPsec ESP (xfrm) + RxRPC | Full write primitive (chained) | No |
| Fragnesia | CVE-2026-46300 | May 14, 2026 | XFRM ESP-in-TCP | Arbitrary byte write | No |
| pedit COW | CVE-2026-46331 | June 26, 2026 | net/sched act_pedit | Out-of-bounds page-cache write | No |
Affected Distributions
Verified testing confirms exploitation success on multiple widely deployed distributions:
| Distribution | Kernel | Flag | Result |
|---|---|---|---|
| RHEL 10.0 | 6.12.0-228.el10 | None | ROOT |
| Debian 13 (Trixie) | 6.12.90+deb13.1 | None | ROOT |
| Ubuntu 24.04.4 | 6.17.0-22 | --ubuntu | ROOT |
| Ubuntu 26.04 | 7.0.0-14-generic | --ubuntu | FAIL |
RHEL and Debian are immediately vulnerable with no flags required, as both ship with unprivileged user namespaces open by default. Notably, RHEL lacks cls_basic and em_meta modules, but the exploit automatically falls back to matchall to deliver the same corruption primitive.
Ubuntu enforces two sysctls that restrict unprivileged user namespace creation:
kernel.apparmor_restrict_unprivileged_userns— blocks unconfined userns creationkernel.apparmor_restrict_unprivileged_unconfined— preventsaa-execpermissive profiles from shedding the restriction
The --ubuntu flag re-executes the exploit via aa-exec using permissive profiles such as trinity, chrome, or flatpak — which carry a userns rule — effectively bypassing the AppArmor gate.
This bypass works on Ubuntu 24.04.4 (unconfined=0) but is closed on Ubuntu 26.04 (unconfined=1), which tightens the restriction to block this re-execution path entirely.
Mitigations
Red Hat has published an official security bulletin at RHSB-2026-008. Administrators are strongly urged to apply kernel patches immediately, restrict unprivileged user namespace creation via sysctl where operationally feasible, and monitor for unexpected aa-exec invocations or namespace creation events.
Organizations running kernels between v5.18 and v7.1-rc6 should treat this as a critical priority patch.
What Features Should AI SOC Have? – Download Free 2026 AI SOC Features Checklist
