A critical vulnerability in the Linux kernel's traffic-control subsystem allows a local, unprivileged user to gain root access, with a public exploit available almost immediately after disclosure. Security administrators are urged to apply patches without delay, especially on multi-tenant systems.
The flaw, identified as CVE-2026-46331 and nicknamed "pedit COW," is an out-of-bounds write in the packet-editing action (act_pedit). By exploiting this, an attacker can corrupt shared page-cache memory. Analysis indicates this technique enables the modification of cached binaries in memory, allowing for the execution of malicious code with root privileges. This method of page-cache poisoning is particularly stealthy, as it operates in volatile memory and leaves no traces on the disk, complicating detection with standard tools.
The risk is compounded by the rapid emergence of a working exploit. A functional proof-of-concept was released publicly within roughly 24 hours of the CVE's assignment on June 16. This dramatically shrinks the defensive window between vulnerability disclosure and active exploitation, raising the threat of automated attacks.
Patching is the only definitive mitigation. Administrators must update their kernel packages via the official channels for their specific Linux distribution. For systems that cannot be patched immediately, restricting or disabling the vulnerable act_pedit kernel module is a recommended interim step, though this may disrupt legitimate traffic-shaping services. Enhanced monitoring for anomalous system calls is also advised, though detecting this specific attack method remains challenging.
The threat is most severe for environments where multiple users share a kernel instance, such as cloud providers, VPS hosts, and shared hosting services. In these scenarios, a single compromised local account could lead to a full host takeover. This incident highlights the critical need for swift patch management and defense-in-depth strategies within the open-source ecosystem.
Linux核心流量控制子系統存在一項關鍵漏洞,允許本地無權限使用者取得ROOT控制權,且漏洞公開後隨即出現公開攻擊程式。安全管理員被敦促立即安裝補丁,尤其在多租戶系統上。
此漏洞被編號為CVE-2026-46331,暱稱「pedit COW」,是封包編輯操作(act_pedit)中的越界寫入漏洞。攻擊者可利用此漏洞損壞共享頁面快取記憶體。分析顯示,該技術能修改記憶體中的快取執行檔案,實現以ROOT權限執行惡意程式碼。這種頁面快取投毒手法極具隱蔽性,因其在易失性記憶體中運作且不會在磁碟留下軌跡,令傳統檢測工具難以察覺。
風險因攻擊程式的迅速出現而加劇。在CVE於6月16日分配後約24小時內,便有功能完備的概念驗證攻擊程式公開發布。這大幅縮短了漏洞披露與實際利用之間的防禦窗口,增加自動化攻擊的威脅。
安裝補丁是唯一確切的緩解措施。管理員必須透過所屬Linux發行版的官方渠道更新核心套件。對於無法立即修補的系統,建議採取限制或停用存在漏洞的act_pedit核心模組作為臨時措施,惟此舉可能影響合法流量整形服務。同時建議加強監測異常系統呼叫,但偵測此特定攻擊方法仍具挑戰性。
多用戶共享核心實例的環境面臨最大風險,例如雲端服務供應商、虛擬專用伺服器主機及共享託管服務。在這些情境下,單一遭入侵的本地帳戶可能導致完整主機被接管。此事件突顯開放源碼生態系統中,迅速補丁管理與縱深防禦策略的關鍵必要性。