CVE-2026-46331 in Linux
Summary
by MITRE • 06/16/2026
In the Linux kernel, the following vulnerability has been resolved:
net/sched: fix pedit partial COW leading to page cache corruption
tcf_pedit_act() computes the COW range for skb_ensure_writable() once before the key loop using tcfp_off_max_hint, but the hint does not account for the runtime header offset added by typed keys. This can leave part of the write region un-COW'd.
Fix by moving skb_ensure_writable() inside the per-key loop where the actual write offset is known, and add overflow checking on the offset arithmetic. For negative offsets (e.g. Ethernet header edits at ingress), use skb_cow() to COW the headroom instead. Guard offset_valid() against INT_MIN, where negation is undefined.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/16/2026
This vulnerability resides within the linux kernel's traffic control subsystem, specifically in the net/sched directory where packet editing operations are handled. The issue affects the tcf_pedit_act() function which is responsible for modifying packet headers during traffic control operations. The flaw represents a classic case of improper memory management leading to potential data corruption in the kernel's page cache system. When packets are processed through traffic control actions, the kernel must ensure that packet data can be safely modified without causing memory corruption issues. The vulnerability stems from a miscalculation in how the kernel determines the range of memory that needs to be copied on write for packet modifications.
The technical root cause involves the computation of the copy-on-write range for packet data. The function tcf_pedit_act() calculates this range using tcfp_off_max_hint before processing individual packet keys in a loop. However, this pre-computed hint fails to account for the dynamic header offset that is added by typed keys during runtime processing. This mismatch creates a scenario where portions of the packet data that should be protected by copy-on-write semantics remain unprotected, potentially leading to memory corruption when modifications are applied to these regions. The vulnerability specifically affects the interaction between the kernel's packet processing infrastructure and its memory management system, creating a path where uncontrolled memory access can occur.
The operational impact of this vulnerability is significant as it can lead to page cache corruption within the kernel's memory management system. When packets are processed through traffic control actions, particularly those involving header modifications, the corrupted memory can result in system instability, potential data loss, or even privilege escalation opportunities. Attackers could potentially exploit this vulnerability to cause denial of service conditions or gain elevated privileges within the system. The vulnerability affects systems running linux kernel versions where traffic control operations are utilized, particularly those implementing packet editing through the tc command or similar traffic control mechanisms. This represents a critical security flaw that could be exploited in network-facing applications or systems that process large volumes of packet data.
The fix implemented addresses the core issue by restructuring the packet modification logic to compute the copy-on-write range at the appropriate time during key processing rather than pre-computing it. By moving the skb_ensure_writable() call inside the per-key loop, the kernel can now accurately determine the actual write offset for each modification operation. This approach ensures that all necessary memory regions are properly protected before modifications occur. The solution also includes overflow checking on offset arithmetic to prevent integer overflows that could lead to additional memory corruption scenarios. For negative offsets that occur when modifying headers at ingress points, the fix correctly uses skb_cow() to handle headroom copying instead of attempting to modify the packet data directly. Additional protections have been added to offset_valid() function to guard against INT_MIN values where arithmetic operations could produce undefined behavior, aligning with best practices for integer overflow protection. This fix directly addresses the weaknesses identified in the original implementation and prevents the conditions that could lead to page cache corruption.
This vulnerability demonstrates the importance of careful memory management in kernel space operations and aligns with several cybersecurity frameworks. The issue relates to common weakness enumeration 129 which covers improper handling of memory operations, and also connects to attack techniques described in the attack tree framework where memory corruption can lead to privilege escalation. The fix methodology follows established kernel security practices for preventing copy-on-write related vulnerabilities and demonstrates proper defensive programming techniques that should be applied to all kernel memory management operations. The solution provides a robust approach to handling packet modifications in network subsystems while maintaining the performance characteristics required for high-throughput network processing.