Severity
High
Analysis Summary
A newly disclosed Linux kernel vulnerability, tracked as CVE-2026-46331 and dubbed packet_edit_meme, enables unprivileged local attackers to gain full root privileges by exploiting a combination of a Copy-on-Write (COW) page-cache corruption flaw and the net/sched act_pedit traffic control subsystem. The vulnerability affects Linux kernel versions 5.18 through 7.1-rc6, originating from kernel commit 899ee91156e5, and has been patched in Linux v7.1-rc7. Unlike many privilege escalation flaws that require elevated permissions, this exploit can be executed by local users without administrative rights on systems where unprivileged user namespaces are enabled, making it a significant threat to enterprise and consumer Linux environments.
The attack abuses the act_pedit component of the Linux traffic control (tc) framework to achieve an out-of-bounds page-cache write, creating a powerful page-cache corruption primitive. The exploit begins by spawning a user namespace that grants the process CAP_NET_ADMIN capabilities, which are accessible to unprivileged users on vulnerable configurations. Attackers then overwrite the cached ELF entry point of the setuid-root /bin/su binary with malicious shellcode. When executed, the injected payload invokes setgid(0), setuid(0), and execve("/bin/sh"), resulting in a fully privileged root shell. This technique allows attackers to compromise a system without modifying the binary on disk, instead targeting the in-memory page cache.
Testing confirmed successful exploitation on several widely deployed Linux distributions, including RHEL 10.0, Debian 13 (Trixie), and Ubuntu 24.04.4, while Ubuntu 26.04 was found to be protected due to enhanced security restrictions. On RHEL and Debian, the exploit works without additional flags because unprivileged user namespaces are enabled by default, and the exploit automatically switches to the matchall classifier when required kernel modules are unavailable. On Ubuntu, two AppArmor sysctls normally restrict unprivileged namespace creation; however, the exploit's --ubuntu mode bypasses these protections by re-executing itself through permissive aa-exec profiles such as trinity, chrome, or flatpak, which allow user namespace creation. This bypass remains effective on Ubuntu 24.04.4 but is blocked in Ubuntu 26.04, where stricter AppArmor enforcement prevents the re-execution technique.
This vulnerability represents the fourth major Linux local privilege escalation flaw disclosed in 2026, following Copy Fail (CVE-2026-31431), DirtyFrag (CVE-2026-43284/CVE-2026-43500), and Fragnesia (CVE-2026-46300), highlighting an ongoing trend of sophisticated kernel memory corruption attacks. Administrators running kernels between v5.18 and v7.1-rc6 should treat CVE-2026-46331 as a critical patch priority by immediately deploying the fixed kernel version, applying vendor security updates such as Red Hat's RHSB-2026-008, restricting unprivileged user namespace creation via sysctl wherever operationally feasible, and monitoring systems for suspicious aa-exec executions and unexpected namespace creation events that may indicate exploitation attempts.
Impact
- Gain Access
Indicators of Compromise
CVE
CVE-2026-31431
CVE-2026-43284
CVE-2026-43500
CVE-2026-46300
CVE-2026-46331
Remediation
- Apply the latest Linux kernel security updates immediately, especially if running kernel versions 5.18 through 7.1-rc6, and upgrade to a patched kernel version (v7.1-rc7 or vendor-provided fixed releases).
- Install vendor security advisories (such as Red Hat RHSB-2026-008) and ensure all systems receive the latest distribution-specific kernel patches.
- Restrict or disable unprivileged user namespace creation using sysctl where operationally feasible to prevent unprivileged users from exploiting the vulnerability.
- Upgrade Ubuntu systems to the latest supported kernel and security updates, as newer releases (e.g., Ubuntu 26.04) include stronger AppArmor protections against this attack.
- Monitor for suspicious aa-exec executions and unexpected user namespace creation events, which may indicate attempts to bypass AppArmor restrictions.
- Enable continuous monitoring and logging to detect unusual privilege escalation attempts, execution of /bin/su, or abnormal traffic control (tc) activity.
- Limit local access to trusted users only and enforce the principle of least privilege to reduce the risk of local exploitation.