CVE-2026-46331

net/sched: fix pedit partial COW leading to page cache corruption

EPSS 0.3%

In the Linux kernel, the following vulnerability has been resolved: net/sched: fix pedit partial COW leading to page cache corruption tcf_pedit_act() computes the COW range for skb_ensure_writable() once before the key loop using tcfp_off_max_hint, but the hint does not account for the runtime header offset added by typed keys. This can leave part of the write region un-COW'd. Fix by moving skb_ensure_writable() inside the per-key loop where the actual write offset is known, and add overflow checking on the offset arithmetic. For negative offsets (e.g. Ethernet header edits at ingress), use skb_cow() to COW the headroom instead. Guard offset_valid() against INT_MIN, where negation is undefined.

Affected products

Linux · Linux

public PoCs found — 1

githubgithub.com/sgkdev/packet_edit_meme★ 26

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://git.kernel.org/stable/c/2bec122b9fb91507a758ab5e3e5c4fbe7cb3f61b https://git.kernel.org/stable/c/3dee9d0c198faeb95d052c1b94c2958751a28512 https://git.kernel.org/stable/c/899ee91156e57784090c5565e4f31bd7dbffbc5a https://git.kernel.org/stable/c/b198ed4e52580a7238c7c7082f03906f8b310313