Summary
| CVE-ID | CVE-2026-46331 |
| Description | Incorrect writable-range calculation in Linux kernel act_pedit: runtime header offsets can move a packet edit beyond the copy-on-write range, producing an out-of-bounds write into shared page-cache memory. |
| Product / Vendor | Linux kernel / Linux kernel project (kernel.org) |
| TLCTC | #2 Exploiting Server |
| Sub-cluster | #2.2 / TLCTC-02.20 — Core function vector (internal processing / parsing flaw) |
| CWE-ID | CWE-787: Out-of-bounds Write — best-fit analyst assignment. NVD has not yet populated its CWE field; Red Hat characterizes the flaw as a missing-bounds-check out-of-bounds write. |
tcf_pedit_act() derives the writable copy-on-write range, but a runtime header-relative offset moves the actual write past it, into shared privileged page-cache memory. That single kernel write is the #2.2 step (DRE: I) and it also accomplishes the unprivileged→root crossing.
Vector & Score
| Vector String | CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| Score | 8.5 High — Canonical/Ubuntu. NVD currently has no CVSS assessment. |
Initial Vector
No. AV:L and PR:L fail the network and no-prior-privilege requirements. UI:N passes, but all IAV conditions must be true simultaneously. A prior local foothold or local account is required.
Prerequisites
- Local unprivileged code execution or account
- An affected kernel
- Reachable or loadable
act_pedit - Ability to configure the necessary traffic-control state
Published exploitation commonly relies on unprivileged user/network namespaces to obtain the namespace-scoped capabilities needed for the operation. No user interaction is required.
Interaction Context
Components
Local userspace process → netlink/traffic-control configuration → kernel net/sched/act_pedit.c → socket-buffer fragments / shared page cache → optionally a setuid executable.
Privilege levels
Unprivileged local user → kernel processing context → potentially root when a corrupted privileged executable is invoked.
Data flow
The attacker supplies typed pedit keys and packet state. tcf_pedit_act() calculates an approximate writable range before processing the keys, but a runtime header-relative offset can place the actual store outside that range.
Trust boundary
Intra-host userspace-to-kernel request boundary, followed in the demonstrated exploit by an unprivileged-to-root transition.
R-ROLE Conclusion
Server role. The local process submits inbound netlink/configuration stimuli and packet data; the vulnerable kernel function accepts and processes those stimuli. This is therefore #2, not #3. The error is in internal packet-edit / COW-range processing, supporting #2.2 rather than a protocol parser (#2.1) or delegated external handler (#2.3). TLCTC classifies CWE-787 contextually according to this interaction role — the role is determined by the host's position relative to attacker-controlled input, not by the host's general identity.
Justification
The exploited generic vulnerability is a server-role implementation flaw in privileged kernel code — specifically an incorrect bounds/COW-range computation allowing an out-of-bounds write. Privilege escalation and page-cache poisoning are effects, not clusters.
Under R-EXEC, the CVE itself remains assigned to #2.2. A separate #7 step is added only in exploit realizations that write and subsequently execute foreign content. A crash-only realization remains #2.2 without #7.
Attack Paths
Path 1 — Published page-cache / foreign-code exploitation
The #2.2 step corrupts the cached image of a privileged executable; that same kernel-write step accomplishes the unprivileged-to-root crossing, so the intra-system operator attaches here (R-INTRA-2). Invoking the corrupted executable then runs attacker-supplied content as root — the additive #7 step (R-EXEC). The integrity loss to the cached image is carried by #2.2; the C/I loss produced by the root payload is carried by #7.
Path 2 — Non-execution failure mode
Malformed traffic-control state triggers kernel memory corruption or a system crash with no foreign executable content. R-EXEC therefore does not add #7. The availability loss (system down / data gone) is Av.
Path 3 — Illustrative chained compromise
A separate remote server flaw first establishes a low-privilege implant (the remote #2 step, then implant execution #7). CVE-2026-46331 then supplies local kernel escalation — the #2.2 step accomplishes the @service_user→@root crossing — followed by execution of the page-cache payload as root.
Notation Corrections Applied
The classification logic in the original draft was sound. Four notation conformance issues were corrected against canonical v2.1 rules:
|[privilege][@user→@root]| was attached to the #7 step. The privilege crossing is accomplished by the #2.2 kernel-write that corrupts the privileged image — not by execution. The operator must attach to the step that accomplishes the crossing. Moved to #2.2 in Paths 1 and 3.
→[Δt=minutes]→ (double arrow) is non-conformant. Canonical form is a single trailing arrow: →[Δt=minutes]. Corrected in Path 3.
#2.2 step that causes it; the C/I loss from the root payload belongs on the #7 execution step. The original collapsed both onto #7. "Privilege escalation" itself is an effect (SG-4) and is never a standalone node.
Sources
- NVD CVE record
- Red Hat security bulletin RHSB-2026-008
- Canonical / Ubuntu advisory
- Upstream Linux fix references
Note: source designators are reproduced as supplied in the draft and should be verified against live advisories before publication. NVD CWE and CVSS fields were unpopulated at time of analysis.
TLCTC · Top Level Cyber Threat Clusters · Cause-side classification · v2.1 · CC BY 4.0 · tlctc.net