CVE-2026-46331

medium

Description

In the Linux kernel, the following vulnerability has been resolved: net/sched: fix pedit partial COW leading to page cache corruption tcf_pedit_act() computes the COW range for skb_ensure_writable() once before the key loop using tcfp_off_max_hint, but the hint does not account for the runtime header offset added by typed keys. This can leave part of the write region un-COW'd. Fix by moving skb_ensure_writable() inside the per-key loop where the actual write offset is known, and add overflow checking on the offset arithmetic. For negative offsets (e.g. Ethernet header edits at ingress), use skb_cow() to COW the headroom instead. Guard offset_valid() against INT_MIN, where negation is undefined.

References

https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46331.json

https://github.com/sgkdev/packet_edit_meme/tree/main

https://git.kernel.org/stable/c/d5d01d35a5a7d36f7cb679b67d9cbdd5205672dc

https://git.kernel.org/stable/c/b685d6ef6f07a3b5ce814565a25f39f2157538a5

https://git.kernel.org/stable/c/b198ed4e52580a7238c7c7082f03906f8b310313

https://git.kernel.org/stable/c/a071e057518decc5e3bec89855758f5f8786f2c5

https://git.kernel.org/stable/c/899ee91156e57784090c5565e4f31bd7dbffbc5a

https://git.kernel.org/stable/c/544d857b42a1734b923040e13aa61a6fd4746cf2

https://git.kernel.org/stable/c/3dee9d0c198faeb95d052c1b94c2958751a28512

https://git.kernel.org/stable/c/2bec122b9fb91507a758ab5e3e5c4fbe7cb3f61b

https://bugzilla.redhat.com/show_bug.cgi?id=2479492

https://access.redhat.com/security/cve/CVE-2026-46331

https://access.redhat.com/errata/RHSA-2026:33666

https://access.redhat.com/errata/RHSA-2026:33225

https://access.redhat.com/errata/RHSA-2026:33224

https://access.redhat.com/errata/RHSA-2026:33223

https://access.redhat.com/errata/RHSA-2026:33222

https://access.redhat.com/errata/RHSA-2026:33221

https://access.redhat.com/errata/RHSA-2026:33220

https://access.redhat.com/errata/RHSA-2026:33219

https://access.redhat.com/errata/RHSA-2026:29863

https://access.redhat.com/errata/RHSA-2026:29856

https://access.redhat.com/errata/RHSA-2026:29833

https://access.redhat.com/errata/RHSA-2026:29799

https://access.redhat.com/errata/RHSA-2026:29794

https://access.redhat.com/errata/RHSA-2026:29080

https://access.redhat.com/errata/RHSA-2026:28887

https://access.redhat.com/errata/RHSA-2026:27789

https://access.redhat.com/errata/RHSA-2026:27731

https://access.redhat.com/errata/RHSA-2026:27713

https://access.redhat.com/errata/RHSA-2026:27709

https://access.redhat.com/errata/RHSA-2026:27708

https://access.redhat.com/errata/RHSA-2026:27707

https://access.redhat.com/errata/RHSA-2026:27706

https://access.redhat.com/errata/RHSA-2026:27705

https://access.redhat.com/errata/RHSA-2026:27704

https://access.redhat.com/errata/RHSA-2026:27355

https://access.redhat.com/errata/RHSA-2026:27354

https://access.redhat.com/errata/RHSA-2026:27353

https://access.redhat.com/errata/RHSA-2026:27288

Details

Source: Mitre, NVD

Published: 2026-06-16

Updated: 2026-07-04

Named Vulnerability: pedit COW

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

Severity: Medium

CVSS v3

Base Score: 6.7

Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Severity: Medium

EPSS

EPSS: 0.0014

Vulnerability Watch

Tenable Research has classified this CVE under the following Vulnerability Watch classification, which includes active and historical (inactive) classifications. You can learn more about these classifications on our blog.

Vulnerability Being Monitored