Security researchers have published proof-of-concept code for a new Linux kernel vulnerability that allows local users to gain root access by exploiting the pedit (policy edit) copy-on-write mechanism. The exploit, tracked under a new CVE, affects kernels from version 5.10 through 6.14 and impacts major distributions including Ubuntu, Fedora, and Debian.
How the pedit COW Exploit Works
The vulnerability exists in the Linux kernel’s Traffic Control (tc) subsystem, specifically in how the pedit module handles memory when modifying packet headers. Under certain conditions, the copy-on-write mechanism fails to properly duplicate a memory page, allowing an attacker to overwrite kernel memory that should be read-only.
According to The Hacker News, the exploit works by “poisoning cached binaries” through the pedit module. An attacker with local access can craft a specific sequence of tc filter operations that triggers the COW bug, then redirect kernel memory to execute arbitrary code with root privileges.
The attack requires local access to the system, meaning it is not remotely exploitable. However, in shared hosting environments, container escapes, or multi-user Linux servers, this is a serious privilege escalation vector.
Affected Distributions and Kernel Versions
The vulnerability affects Linux kernel versions 5.10 through 6.14. The following distributions are confirmed vulnerable:
- Ubuntu: 22.04 LTS, 24.04 LTS, and all interim releases through 26.04
- Fedora: 39, 40, 41, and 42
- Debian: 12 (Bookworm) and testing (Trixie)
- RHEL/CentOS: 9.x and derivatives (AlmaLinux, Rocky Linux)
- Arch Linux: All recent rolling releases
Red Hat has assigned a CVSS score of 7.8 (High) to this vulnerability, reflecting the local-only attack vector but the complete compromise of system integrity once exploited.
Patch Availability
Kernel patches are now available from the upstream Linux kernel maintainers. Ubuntu released emergency kernel updates for all supported LTS releases on June 26, 2026. Fedora pushed updates to stable repositories on the same day. Debian security teams have issued patches for Bookworm and are preparing fixes for Trixie.
For distributions that have not yet pushed patches, the recommended mitigation is to disable the tc pedit module entirely using: sudo modprobe -r cls_pedit. This will break any network policies that rely on pedit, but eliminates the attack surface until a patch is available.
DirtyClone: A Related Vulnerability
The pedit COW exploit is not the only recent Linux kernel privilege escalation making headlines. Security researchers also disclosed “DirtyClone,” a separate vulnerability that allows attackers to gain root access through cloned network packets. DirtyClone affects a different part of the kernel’s networking stack but follows a similar pattern of memory handling failures in the packet processing pipeline.
Both vulnerabilities underscore the complexity of the Linux kernel’s networking subsystem and the ongoing challenge of securing memory management in kernel space.
What System Administrators Should Do
System administrators running Linux servers should prioritize updating to the latest patched kernel immediately. For organizations that cannot update immediately, the following steps reduce exposure:
- Disable the cls_pedit kernel module:
sudo modprobe -r cls_pedit - Audit existing tc filter rules that use pedit:
tc filter show - Review user access controls to limit which users can run tc commands
- Monitor logs for unusual tc filter activity
Cloud providers including AWS, Google Cloud, and Azure have begun rolling out patched kernels to their managed instances. If you are running self-managed Linux VMs in the cloud, check with your provider’s status page for update availability.
FAQ
How do I check if my Linux kernel is vulnerable?
Run uname -r to check your kernel version. Any kernel between 5.10 and 6.14 is potentially affected. Check your distribution’s security advisories for the specific patch version that addresses this CVE.
Can this exploit be used remotely?
No, the pedit COW exploit requires local access to the system. An attacker must already have a user account on the target machine. However, in shared hosting or container environments, this allows a low-privileged user to escalate to root.
Does this affect Docker containers?
If the host kernel is vulnerable, containers that have access to the tc subsystem (those running with --privileged or with NET_ADMIN capability) could potentially exploit this vulnerability to break out of the container.
How long has this vulnerability existed?
The vulnerable code was introduced in Linux kernel 5.10 when the pedit module was refactored to support additional packet manipulation features. The bug has existed for approximately four years before being discovered and reported to the kernel security team.
