← All CVEs

CVE-2026-46331

HIGH 7.8 PoC AVAILABLE

Published 2026-06-16 · Last modified 2026-07-01

In the Linux kernel, the following vulnerability has been resolved: net/sched: fix pedit partial COW leading to page cache corruption tcf_pedit_act() computes the COW range for skb_ensure_writable() once before the key loop using tcfp_off_max_hint, but the hint does not account for the runtime header offset added by typed keys. This can leave part of the write region un-COW'd. Fix by moving skb_ensure_writable() inside the per-key loop where the actual write offset is known, and add overflow checking on the offset arithmetic. For negative offsets (e.g. Ethernet header edits at ingress), use skb_cow() to COW the headroom instead. Guard offset_valid() against INT_MIN, where negation is undefined.

EXPLOIT AVAILABLE

Public exploit or PoC code exists. Modeled probability is still low, but the barrier to attack is reduced — watch closely.

Exploitation likelihood

0.3%chance of exploitation in 30 days · 17th percentile

○ In CISA KEV ● Public exploit / PoC

Impact if exploited

7.8CVSS 3.1 · HIGH

  • ConfidentialityHigh
  • IntegrityHigh
  • AvailabilityHigh

What an attacker needs

  • Access: Requires local access to the host
  • Privileges: Requires a low-privilege account
  • User interaction: No user interaction needed
  • Complexity: No special conditions — reliably repeatable

✓ lowers the bar for an attacker · ⚠ raises it

Proof of concept & exploit code

Listed for defensive triage and patch prioritization.

Affected

Vendors Linux Red Hat

Products Linux Nvidia For Rhel 10 Red Hat Openshift Container Platform 4.20 Red Hat Openshift Container Platform 4.21 Red Hat Openshift Container Platform 4.22 Red Hat Enterprise Linux Appstream Eus (V. 10.0) Red Hat Enterprise Linux Appstream (V. 10) Red Hat Enterprise Linux Appstream E4s (V.9.2)

Weakness (CWE)

  • CWE-787: Out-of-bounds write
  • CWE-190: Integer overflow

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Sources: NVD · CVE.org · EPSS