A newly disclosed Linux kernel vulnerability is putting multiple major Linux distributions at risk by allowing unprivileged local users to escalate privileges to full root access.
The flaw combines a Copy-on-Write (COW) page-cache corruption vulnerability with the net/sched subsystem's act_pedit component, creating a powerful privilege escalation chain. The exploit, dubbed packet_edit_meme, was successfully demonstrated in June 2026 against several actively maintained enterprise and consumer Linux distributions.
Vulnerability Overview
The root cause is a partial-COW page-cache corruption bug introduced in Linux kernel commit 899ee91156e5. The issue affects kernel versions 5.18 through 7.1-rc6 and has been patched in 7.1-rc7.
The vulnerability resides within the Linux traffic control (tc) framework, specifically the net/sched act_pedit subsystem.
By abusing the flaw, attackers can create a user namespace with CAP_NET_ADMIN privileges, which remains accessible to unprivileged users on systems where user namespaces are enabled by default.
The exploit then uses the page-cache corruption primitive to overwrite the cached ELF entry point of the setuid-root binary /bin/su, injecting shellcode that executes:
setgid(0)setuid(0)execve("/bin/sh")
The result is a fully privileged root shell.
Fourth Major Linux Privilege Escalation Flaw in 2026
This vulnerability follows a series of critical Linux privilege escalation disclosures:
| Vulnerability | CVE | Disclosure Date | Subsystem | Primitive |
|---|---|---|---|---|
| Copy Fail | CVE-2026-31431 | Apr 30, 2026 | algif_aead (AF_ALG) | 4-byte page-cache write |
| DirtyFrag | CVE-2026-43284 / CVE-2026-43500 | May 8, 2026 | IPsec ESP + RxRPC | Full write primitive |
| Fragnesia | CVE-2026-46300 | May 14, 2026 | XFRM ESP-in-TCP | Arbitrary byte write |
| packet_edit_meme | CVE-2026-46331 | Jun 26, 2026 | net/sched act_pedit | Out-of-bounds page-cache write |
All four vulnerabilities allow privilege escalation without requiring root access.
Affected Distributions
Researchers confirmed successful exploitation on several popular Linux distributions:
| Distribution | Kernel Version | Result |
|---|---|---|
| RHEL 10.0 | 6.12.0-228.el10 | ROOT |
| Debian 13 (Trixie) | 6.12.90+deb13.1 | ROOT |
| Ubuntu 24.04.4 | 6.17.0-22 | ROOT |
| Ubuntu 26.04 | 7.0.0-14-generic | Failed |
RHEL and Debian are immediately vulnerable because both enable unprivileged user namespaces by default.
Ubuntu-Specific Bypass
Ubuntu includes additional AppArmor protections through:
kernel.apparmor_restrict_unprivileged_usernskernel.apparmor_restrict_unprivileged_unconfined
However, researchers demonstrated that Ubuntu 24.04.4 can be bypassed using the --ubuntu flag, which re-executes the exploit through permissive AppArmor profiles such as:
- trinity
- chrome
- flatpak
This technique bypasses namespace restrictions and enables successful exploitation.
The bypass no longer works on Ubuntu 26.04 due to tighter AppArmor enforcement.
Mitigation Recommendations
Administrators should prioritize patching affected systems immediately.
Recommended actions include:
- Apply the latest Linux kernel security updates
- Upgrade to patched kernel versions
- Restrict unprivileged user namespace creation where possible
- Monitor for unexpected
aa-execactivity - Audit namespace creation events
- Review Red Hat advisory RHSB-2026-008 for vendor-specific guidance
Organizations running Linux kernels between 5.18 and 7.1-rc6 should treat this vulnerability as a critical priority.
Final Thoughts
The disclosure of CVE-2026-46331 highlights the continued risks associated with kernel-level memory corruption vulnerabilities. With working exploit code already demonstrated across major distributions, defenders should assume active weaponization is possible and prioritize remediation efforts accordingly.
