New Linux pedit COW Exploit Enables Root Access by Poisoning Cached Binaries

A flaw in the Linux kernel's traffic-control subsystem can let a local unprivileged user gain root on affected systems. CVE-2026-46331, nicknamed "pedit COW," is an out-of-bounds write in the packet-editing action (act_pedit) that corrupts shared page-cache memory. A public, working exploit appeared within a day of the CVE assignment on June 16. Red Hat rates the flaw as

Report facts: CVE-2026-46331 ("pedit COW") is a Linux kernel privilege-escalation flaw in the traffic-control act_pedit action that allows a local unprivileged user to gain root by corrupting shared page-cache memory, including poisoning a cached setuid root binary such as /bin/su without touching the file on disk.[1][3] A public, working exploit was released shortly after disclosure, and major distributions (Debian, Ubuntu, Red Hat, CloudLinux) are issuing kernel patches and advising mitigations such as disabling act_pedit or unprivileged user namespaces.[2][3][9] CyberSE.AI analysis: Any AI platform or agent infrastructure running Linux (e.g., Kubernetes nodes, CI/CD runners, model-serving clusters) that is vulnerable to pedit COW risks full host compromise by unprivileged tenants, which directly impacts model integrity, credentials, and training or inference data hosted on those machines. Organizations should treat affected AI infrastructure as potentially compromised until patched, incorporate CVE-2026-46331 into SBOM-driven kernel dependency reviews, and ensure their AI readiness and secure-agent build processes enforce timely kernel patching and strict control over user names