Skip to main content
  1. Blog
  2. Article

Luci Stanescu
on 1 July 2026

pedit COW kernel local privilege escalation vulnerability mitigations


Mitigations are available for the Linux vulnerability with CVE ID CVE-2026-46331. The CVE ID was assigned on June 16 2026 and highlighted as a local privilege escalation (LPE) vulnerability on June 26, 2026. Known as “pedit COW”, this vulnerability affects multiple Linux distributions, including all Ubuntu releases starting with Bionic Beaver 18.04 LTS. Ubuntu Resolute Raccoon 26.04 LTS has AppArmor mitigations that block the execution path of the vulnerability.

The vulnerability was assigned a CVSS 3.1 score of 7.8, corresponding to a severity of HIGH, on June 28, 2026.

The affected component is a Linux kernel module that provides support for tc-pedit, an action used by the traffic control subsystem in Linux that allows for arbitrary packet modification.

This post describes mitigations that disable the affected modules, if they are not needed by a host. These mitigations can be applied until Linux kernel packages which implement the proposed patch are released.

Impact

Deployments without container workloads

On hosts that do not run container workloads, the vulnerability allows a local user to elevate privileges to the root user. There is a published exploit that executes in this type of deployment.

Container deployments

In container deployments that may execute arbitrary third-party workloads, the vulnerability may additionally facilitate container escape scenarios, in addition to local privilege escalation on the host. A proof-of-concept exploit has not been published yet for container escape.

Mitigation regression risk

The mitigation disables the kernel modules that are used for the pedit action in tc. Enabling the mitigation will affect functionality if the module is in use by local traffic control rules.

Affected releases

Once available, the vulnerability fix will be distributed through the Linux kernel image packages. In the interim, a mitigation which disables the affected modules can be applied according to the instructions below. The mitigation will not be necessary once the kernel is updated.

ReleasePackage NameRemediation Status
Trusty Tahr (14.04 LTS)linuxNot affected
Xenial Xerus (16.04 LTS)linuxNot affected
Bionic Beaver (18.04 LTS)linuxAffected
Focal Fossa (20.04 LTS)linuxAffected
Jammy Jellyfish (22.04 LTS)linuxAffected
Noble Numbat (24.04 LTS)linuxAffected
Questing Quokka (25.10)linuxAffected
Resolute Raccoon (26.04 LTS)linuxAppArmor mitigations

How to check if you are impacted

Run the following command to obtain the name of the Ubuntu release installed and compare to the table above:

lsb_release -a

Manual mitigation

The mitigations block the affected kernel module from loading. This requires three steps:

  1. Prevent the module from loading in the future.
  2. Unload the module.
  3. Check whether step 2 was successful; if not, reboot the system.

Step 1 – block the module:

Block the module by creating a /etc/modprobe.d/pedit-cow.conf file:

echo "install act_pedit /bin/false" | sudo tee /etc/modprobe.d/pedit-cow.conf

Regenerate the initramfs images, to prevent the module from being loaded during early boot:

sudo update-initramfs -u -k all

Step 2 – unload module:

Unload the module, in case it is already loaded:

sudo rmmod act_pedit 2>/dev/null 

Step 3 – confirm the module isn’t loaded:

Check whether the module is still loaded:

grep -qE '^act_pedit ' /proc/modules && echo "Affected module is loaded" || echo "Affected module is NOT loaded"

If the previous action indicates that the module is not loaded, no further action is required. However, unloading the module may not be possible if it is in use by existing traffic control rules. In these instances, a system reboot will enforce its blocking, but will affect traffic control rules:

sudo reboot

Disabling the mitigation

Once kernel updates are available and installed, the mitigation can be removed:

sudo rm /etc/modprobe.d/pedit-cow.conf
sudo update-initramfs -u -k all

Related posts


Luci Stanescu
1 July 2026

DirtyClone Linux kernel local privilege escalation vulnerability fixes available

Ubuntu Article

On June 25, 2026, JFrog published their research into CVE-2026-43503, referring to the vulnerability as DirtyClone. The vulnerability had previously been responsibly disclosed to the Linux kernel maintainers and the CVE record published on May 23, 2026. The vulnerability affects multiple Linux distributions, including all Ubuntu releases. ...


seth-arnold
21 May 2026

PinTheft Linux kernel vulnerability mitigation

Ubuntu Ubuntu tech blog

A local privilege escalation (LPE) security vulnerability in the Linux kernel, codename “PinTheft,” was publicly disclosed on May 19, 2026. The vulnerability was fixed in the mainline Linux kernel tree. A proof-of-concept exploit was published along with public disclosure. This has been assigned the CVE ID CVE-2026-43494; other discoverin ...


Luci Stanescu
19 May 2026

CVE-2026-46333 (ssh-keysign-pwn) Linux kernel vulnerability mitigations

Ubuntu Ubuntu tech blog

An information disclosure security vulnerability in the Linux kernel was publicly disclosed on May 15th, 2026. The vulnerability was reported by Qualys and fixed in the mainline Linux kernel tree. A proof-of-concept exploit was published soon after public disclosure. The ID CVE-2026-46333 was assigned, but the vulnerability is also referr ...