RSS
Jun 26, 2026 3:14:14 PM
CloudLinux OS team
CloudLinux OS team
CloudLinux OS team

pedit COW (CVE-2026-46331): Mitigation and Kernel Update on CloudLinux

On June 17, 2026, researcher Massimiliano Oldani published a working proof-of-concept named packet_edit_meme for a Linux kernel local privilege escalation now tracked as CVE-2026-46331 and nicknamed pedit COW. The flaw is in the kernel's traffic-control (tc) subsystem. Any unprivileged local user on an affected host can use it to gain root in a single command.

pedit COW is a separate, new bug in a different part of the kernel, the traffic-control act_pedit action in net/sched, not the XFRM/ESP path behind Dirty Frag and Fragnesia. The module blacklist you may have applied for those does not cover this vulnerability. The mitigation below targets a different module (act_pedit).

Don't want to schedule another emergency reboot?

pedit COW requires patching and rebooting affected hosts. If emergency kernel reboots are hard to schedule across a fleet, KernelCare is the alternative we recommend. It applies kernel security fixes to a running server with no reboot and no maintenance window. Once the pedit COW livepatch is published, KernelCare-subscribed servers receive it automatically. See Stream 3 below for current status.

The vulnerable code is the act_pedit traffic-control action, which edits packet headers in place. It computes its copy-on-write (COW) range once, before editing, but misses the runtime offset that typed keys add at execution time, so it ends up writing into a page it never made private. This partial COW lets the write reach shared page-cache memory backing a real file, which the kernel believed it had made safe to modify. By controlling the offset, an unprivileged process turns this into a write into the page-cache copy of a file it could otherwise only read. The CAP_NET_ADMIN capability needed to configure the action does not require real privilege: it is obtained inside an unprivileged user + network namespace, which is available to ordinary users by default on the EL family.

The published PoC targets setuid-root /bin/su directly: it overwrites the cached ELF entry point of the binary with shellcode equivalent to setgid(0); setuid(0); execve("/bin/sh"), so the next su invocation runs as root.

Details: public PoC · upstream fix · Red Hat CVE entry · Ubuntu CVE entry · TuxCare analysis

Status as of June 26, 2026, 13:00 UTC

Patched kernels are released for CloudLinux 9 and CloudLinux 10 (stable) and for CloudLinux 7h and CloudLinux 8 (beta, rolling out to stable). For CloudLinux for Ubuntu 22.04 LTS, the fix depends on the Canonical kernel update. KernelCare livepatches are in active build/test as a rebootless route. See Update instructions below for current per-stream status. This article will be updated in place as each stream reaches release.

Affected CloudLinux versions

Version Affected Will be patched via
CloudLinux 7 (CL7) ✅ No
CloudLinux 7h (CL7h) ❌ Yes CloudLinux kernel
CloudLinux 8 (CL8) ❌ Yes CloudLinux kernel
CloudLinux 9 (CL9) ❌ Yes AlmaLinux kernel
CloudLinux 10 (CL10) ❌ Yes AlmaLinux kernel
CloudLinux for Ubuntu 22.04 LTS ❌ Yes Ubuntu kernel update + KernelCare livepatch

A KernelCare livepatch that deploys the fix without a reboot will also be available as an alternative on all affected versions. See Stream 3 below for current status.

 

Apply this mitigation now

Until a patched kernel or KernelCare livepatch is installed, apply one of the two mitigations below. Either one closes the attack; choose the one that fits your workload.

Option A — Block the act_pedit module

If you do not use traffic-control pedit rules (the typical web-hosting server does not), prevent the module from loading and unload it if it is already present:

echo 'install act_pedit /bin/true' | sudo tee /etc/modprobe.d/disable-act_pedit.conf
lsmod | grep -w act_pedit && sudo rmmod act_pedit

To revert after a patched kernel is installed:

sudo rm /etc/modprobe.d/disable-act_pedit.conf

Compatibility: with this rule in place, any traffic-control configuration that uses the pedit action will fail to load. Do not apply it on hosts that rely on tc ... action pedit rules.

Option B — Restrict unprivileged user namespaces

This removes the CAP_NET_ADMIN acquisition path the exploit relies on, without touching the tc subsystem.

On the EL family (CL7h, CL8, CL9, CL10):

sudo sysctl -w user.max_user_namespaces=0
echo 'user.max_user_namespaces = 0' | sudo tee /etc/sysctl.d/99-pedit-cow.conf

On CloudLinux for Ubuntu 22.04:

sudo sysctl -w kernel.unprivileged_userns_clone=0
echo 'kernel.unprivileged_userns_clone = 0' | sudo tee /etc/sysctl.d/99-pedit-cow.conf

Compatibility: unprivileged user namespaces are required by rootless container runtimes and several CI sandboxes. Restricting them is acceptable on hardened or hosting workloads, but disruptive on developer and container hosts. Do not apply this option where those workloads run.

Restore page-cache binaries after mitigation

The exploit modifies a legitimate system binary (the public PoC overwrites /bin/su) in the page cache as part of gaining root, so applying a mitigation alone is not enough on systems that may have been targeted before the mitigation was in place. After mitigating, drop the page cache to force a reload from disk:

sudo sh -c "echo 3 > /proc/sys/vm/drop_caches"

This is containment, not remediation. Dropping the cache evicts a poisoned copy, but if an attacker already reached root, eviction does not remove persistence they established afterward. If you suspect a host was compromised, treat it as compromised and rebuild.

 

Update instructions

There are three release streams, plus a separate path for CloudLinux for Ubuntu 22.04. Use the one that applies to your CloudLinux version. As patches land, this article will be updated in place. Check the timestamps on the callouts in each stream below.

 

Stream 1 — CloudLinux kernel (CL7h, CL8)

Status as of June 26, 2026, 13:00 UTC

Patched CloudLinux kernels for CL7h and CL8 are released to the beta channel and rolling out to stable. Target versions:

  • CL7h: kernel-4.18.0-553.137.1.lve.el7h or newer
  • CL8: kernel-4.18.0-553.137.1.lve.el8 or newer

Both are CloudLinux rebuilds of the upstream fix.

Updating from the CloudLinux beta channel

Because the stable rollout is gradual, use the beta channel if you want to install immediately.

Instructions for updating CL8 from the beta channelcloudlinux-updates-testing:

yum --enablerepo=cloudlinux-updates-testing update 'kernel*'
reboot
uname -r

Instructions for updating CL7h from the beta channelcl7h_beta:

yum --enablerepo=cl7h_beta update 'kernel*'
reboot
uname -r

Updating from the CloudLinux stable channel

Once the kernel reaches the stable channel for your server, a plain update will pull the patched version, no extra repo enablement needed:

yum update 'kernel*'
reboot
uname -r

 

Stream 2 — AlmaLinux kernel (CL9, CL10)

Status as of June 26, 2026, 13:00 UTC

Patched AlmaLinux kernels for CL9 and CL10 are available in the production (stable) repositories. Target versions:

  • CL9 / AlmaLinux 9: kernel-5.14.0-687.17.1.el9_8 or newer
  • CL10 / AlmaLinux 10: kernel-6.12.0-211.26.1.el10_2 or newer

CloudLinux 9 and CloudLinux 10 use the AlmaLinux kernel directly. The patched kernel is already in the production repositories, so a plain update pulls it:

dnf update 'kernel*'
reboot
uname -r

 

Stream 3 — KernelCare livepatch (all affected versions)

Status as of June 26, 2026, 13:00 UTC

KernelCare livepatches for CVE-2026-46331 are in active build and test. Per-distro release status will be appended here as patches roll out to the testing and main feeds.

The KernelCare livepatch for this vulnerability is being prepared. KernelCare ships it to the testing feed first and promotes to the main feed after validation. To deploy from the testing feed once available:

kcarectl --update --prefix test

Once promoted to the main feed, KernelCare-subscribed systems receive the fix automatically through the standard livepatch flow:

kcarectl --update

Not using KernelCare yet? You can roll the fix out across your entire fleet automatically, without reboots. Get started in a few minutes — more information here.

 

CloudLinux for Ubuntu 22.04 LTS

CloudLinux for Ubuntu 22.04 runs the stock Ubuntu kernel; there is no CloudLinux-built kernel for this platform, and the production fix arrives from Canonical via apt. Track its status on the Ubuntu CVE page.

 

How to verify you are patched

After update + reboot:

uname -r

Compare to the target version for your CloudLinux stream above.

For KernelCare:

kcarectl --info | grep kpatch-build-time

A build time on or after the livepatch publish date includes the pedit COW fix. Alternatively, once patch metadata is finalized:

kcarectl --patch-info | grep CVE-2026-46331

 

References

pedit COW (CVE-2026-46331): Mitigation and Kernel Update on CloudLinux

Jun 26, 2026 3:14:14 PM
CloudLinux OS team

On June 17, 2026, researcher Massimiliano Oldani published a working proof-of-concept named packet_edit_meme for a Linux kernel local privilege escalation now tracked as CVE-2026-46331 and nicknamed pedit COW. The flaw is in the kernel's traffic-control (tc) subsystem. Any unprivileged local user on an affected host can use it to gain root in a single command.

pedit COW is a separate, new bug in a different part of the kernel, the traffic-control act_pedit action in net/sched, not the XFRM/ESP path behind Dirty Frag and Fragnesia. The module blacklist you may have applied for those does not cover this vulnerability. The mitigation below targets a different module (act_pedit).

Don't want to schedule another emergency reboot?

pedit COW requires patching and rebooting affected hosts. If emergency kernel reboots are hard to schedule across a fleet, KernelCare is the alternative we recommend. It applies kernel security fixes to a running server with no reboot and no maintenance window. Once the pedit COW livepatch is published, KernelCare-subscribed servers receive it automatically. See Stream 3 below for current status.

The vulnerable code is the act_pedit traffic-control action, which edits packet headers in place. It computes its copy-on-write (COW) range once, before editing, but misses the runtime offset that typed keys add at execution time, so it ends up writing into a page it never made private. This partial COW lets the write reach shared page-cache memory backing a real file, which the kernel believed it had made safe to modify. By controlling the offset, an unprivileged process turns this into a write into the page-cache copy of a file it could otherwise only read. The CAP_NET_ADMIN capability needed to configure the action does not require real privilege: it is obtained inside an unprivileged user + network namespace, which is available to ordinary users by default on the EL family.

The published PoC targets setuid-root /bin/su directly: it overwrites the cached ELF entry point of the binary with shellcode equivalent to setgid(0); setuid(0); execve("/bin/sh"), so the next su invocation runs as root.

Details: public PoC · upstream fix · Red Hat CVE entry · Ubuntu CVE entry · TuxCare analysis

Status as of June 26, 2026, 13:00 UTC

Patched kernels are released for CloudLinux 9 and CloudLinux 10 (stable) and for CloudLinux 7h and CloudLinux 8 (beta, rolling out to stable). For CloudLinux for Ubuntu 22.04 LTS, the fix depends on the Canonical kernel update. KernelCare livepatches are in active build/test as a rebootless route. See Update instructions below for current per-stream status. This article will be updated in place as each stream reaches release.

Affected CloudLinux versions

Version Affected Will be patched via
CloudLinux 7 (CL7) ✅ No
CloudLinux 7h (CL7h) ❌ Yes CloudLinux kernel
CloudLinux 8 (CL8) ❌ Yes CloudLinux kernel
CloudLinux 9 (CL9) ❌ Yes AlmaLinux kernel
CloudLinux 10 (CL10) ❌ Yes AlmaLinux kernel
CloudLinux for Ubuntu 22.04 LTS ❌ Yes Ubuntu kernel update + KernelCare livepatch

A KernelCare livepatch that deploys the fix without a reboot will also be available as an alternative on all affected versions. See Stream 3 below for current status.

 

Apply this mitigation now

Until a patched kernel or KernelCare livepatch is installed, apply one of the two mitigations below. Either one closes the attack; choose the one that fits your workload.

Option A — Block the act_pedit module

If you do not use traffic-control pedit rules (the typical web-hosting server does not), prevent the module from loading and unload it if it is already present:

echo 'install act_pedit /bin/true' | sudo tee /etc/modprobe.d/disable-act_pedit.conf
lsmod | grep -w act_pedit && sudo rmmod act_pedit

To revert after a patched kernel is installed:

sudo rm /etc/modprobe.d/disable-act_pedit.conf

Compatibility: with this rule in place, any traffic-control configuration that uses the pedit action will fail to load. Do not apply it on hosts that rely on tc ... action pedit rules.

Option B — Restrict unprivileged user namespaces

This removes the CAP_NET_ADMIN acquisition path the exploit relies on, without touching the tc subsystem.

On the EL family (CL7h, CL8, CL9, CL10):

sudo sysctl -w user.max_user_namespaces=0
echo 'user.max_user_namespaces = 0' | sudo tee /etc/sysctl.d/99-pedit-cow.conf

On CloudLinux for Ubuntu 22.04:

sudo sysctl -w kernel.unprivileged_userns_clone=0
echo 'kernel.unprivileged_userns_clone = 0' | sudo tee /etc/sysctl.d/99-pedit-cow.conf

Compatibility: unprivileged user namespaces are required by rootless container runtimes and several CI sandboxes. Restricting them is acceptable on hardened or hosting workloads, but disruptive on developer and container hosts. Do not apply this option where those workloads run.

Restore page-cache binaries after mitigation

The exploit modifies a legitimate system binary (the public PoC overwrites /bin/su) in the page cache as part of gaining root, so applying a mitigation alone is not enough on systems that may have been targeted before the mitigation was in place. After mitigating, drop the page cache to force a reload from disk:

sudo sh -c "echo 3 > /proc/sys/vm/drop_caches"

This is containment, not remediation. Dropping the cache evicts a poisoned copy, but if an attacker already reached root, eviction does not remove persistence they established afterward. If you suspect a host was compromised, treat it as compromised and rebuild.

 

Update instructions

There are three release streams, plus a separate path for CloudLinux for Ubuntu 22.04. Use the one that applies to your CloudLinux version. As patches land, this article will be updated in place. Check the timestamps on the callouts in each stream below.

 

Stream 1 — CloudLinux kernel (CL7h, CL8)

Status as of June 26, 2026, 13:00 UTC

Patched CloudLinux kernels for CL7h and CL8 are released to the beta channel and rolling out to stable. Target versions:

  • CL7h: kernel-4.18.0-553.137.1.lve.el7h or newer
  • CL8: kernel-4.18.0-553.137.1.lve.el8 or newer

Both are CloudLinux rebuilds of the upstream fix.

Updating from the CloudLinux beta channel

Because the stable rollout is gradual, use the beta channel if you want to install immediately.

Instructions for updating CL8 from the beta channelcloudlinux-updates-testing:

yum --enablerepo=cloudlinux-updates-testing update 'kernel*'
reboot
uname -r

Instructions for updating CL7h from the beta channelcl7h_beta:

yum --enablerepo=cl7h_beta update 'kernel*'
reboot
uname -r

Updating from the CloudLinux stable channel

Once the kernel reaches the stable channel for your server, a plain update will pull the patched version, no extra repo enablement needed:

yum update 'kernel*'
reboot
uname -r

 

Stream 2 — AlmaLinux kernel (CL9, CL10)

Status as of June 26, 2026, 13:00 UTC

Patched AlmaLinux kernels for CL9 and CL10 are available in the production (stable) repositories. Target versions:

  • CL9 / AlmaLinux 9: kernel-5.14.0-687.17.1.el9_8 or newer
  • CL10 / AlmaLinux 10: kernel-6.12.0-211.26.1.el10_2 or newer

CloudLinux 9 and CloudLinux 10 use the AlmaLinux kernel directly. The patched kernel is already in the production repositories, so a plain update pulls it:

dnf update 'kernel*'
reboot
uname -r

 

Stream 3 — KernelCare livepatch (all affected versions)

Status as of June 26, 2026, 13:00 UTC

KernelCare livepatches for CVE-2026-46331 are in active build and test. Per-distro release status will be appended here as patches roll out to the testing and main feeds.

The KernelCare livepatch for this vulnerability is being prepared. KernelCare ships it to the testing feed first and promotes to the main feed after validation. To deploy from the testing feed once available:

kcarectl --update --prefix test

Once promoted to the main feed, KernelCare-subscribed systems receive the fix automatically through the standard livepatch flow:

kcarectl --update

Not using KernelCare yet? You can roll the fix out across your entire fleet automatically, without reboots. Get started in a few minutes — more information here.

 

CloudLinux for Ubuntu 22.04 LTS

CloudLinux for Ubuntu 22.04 runs the stock Ubuntu kernel; there is no CloudLinux-built kernel for this platform, and the production fix arrives from Canonical via apt. Track its status on the Ubuntu CVE page.

 

How to verify you are patched

After update + reboot:

uname -r

Compare to the target version for your CloudLinux stream above.

For KernelCare:

kcarectl --info | grep kpatch-build-time

A build time on or after the livepatch publish date includes the pedit COW fix. Alternatively, once patch metadata is finalized:

kcarectl --patch-info | grep CVE-2026-46331

 

References
imunify-logo

WEB SERVER SECURITY BLOG

READ MORE ABOUT WEB SERVER SECURITY

Subscribe to CloudLinux Newsletter

aicpa soc
pci-dss
eu gdpr compliant
© All rights reserved. CloudLinux Inc.
Terms of Use | Privacy Policy | Vulnerability Reporting | Legal | Do Not Sell My Personal Data

Call Sales at +1 (800) 231-7307
Email sales@cloudlinux.com