CVE-2026-46331
HIGH 7.8 PoC AVAILABLEIn the Linux kernel, the following vulnerability has been resolved: net/sched: fix pedit partial COW leading to page cache corruption tcf_pedit_act() computes the COW range for skb_ensure_writable() once before the key loop using tcfp_off_max_hint, but the hint does not account for the runtime header offset added by typed keys. This can leave part of the write region un-COW'd. Fix by moving skb_ensure_writable() inside the per-key loop where the actual write offset is known, and add overflow checking on the offset arithmetic. For negative offsets (e.g. Ethernet header edits at ingress), use skb_cow() to COW the headroom instead. Guard offset_valid() against INT_MIN, where negation is undefined.
Public exploit or PoC code exists. Modeled probability is still low, but the barrier to attack is reduced — watch closely.
Exploitation likelihood
0.3%chance of exploitation in 30 days · 17th percentile
Impact if exploited
7.8CVSS 3.1 · HIGH
- ConfidentialityHigh
- IntegrityHigh
- AvailabilityHigh
What an attacker needs
- ⚠Access: Requires local access to the host
- ⚠Privileges: Requires a low-privilege account
- ✓User interaction: No user interaction needed
- ✓Complexity: No special conditions — reliably repeatable
✓ lowers the bar for an attacker · ⚠ raises it
Proof of concept & exploit code
Listed for defensive triage and patch prioritization.
Affected
Products Linux Nvidia For Rhel 10 Red Hat Openshift Container Platform 4.20 Red Hat Openshift Container Platform 4.21 Red Hat Openshift Container Platform 4.22 Red Hat Enterprise Linux Appstream Eus (V. 10.0) Red Hat Enterprise Linux Appstream (V. 10) Red Hat Enterprise Linux Appstream E4s (V.9.2)
Weakness (CWE)
- CWE-787: Out-of-bounds write
- CWE-190: Integer overflow
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References
Exploits & PoC
Advisories
Technical & other
- https://git.kernel.org/stable/c/2bec122b9fb91507a758ab5e3e5c4fbe7cb3f61b
- https://git.kernel.org/stable/c/b198ed4e52580a7238c7c7082f03906f8b310313
- https://git.kernel.org/stable/c/3dee9d0c198faeb95d052c1b94c2958751a28512
- https://git.kernel.org/stable/c/899ee91156e57784090c5565e4f31bd7dbffbc5a
- https://access.redhat.com/security/cve/CVE-2026-46331
- https://bugzilla.redhat.com/show_bug.cgi?id=2479492
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46331.json