New Linux pedit COW Exploit Enables Root Access by Poisoning Cached Binaries
- Thread starter Captain Awesome
- Start date
To protect your systems from this vulnerability, implement the following security measures immediately:1. Apply Official Kernel PatchesThe most effective and permanent solution is to update your Linux kernel to a patched version and reboot the system.Debian: Update systems running Debian 13 (trixie), where fixes have already been deployed. Keep a close eye on security channels for Debian 11 and 12 updates.
Ubuntu / Red Hat: Check your respective package managers (apt or dnf) for the latest kernel security updates addressing CVE-2026-46331 for RHEL 8/9/10 and Ubuntu 18.04 through 26.04.Priority: Prioritize multi-tenant environments, CI/CD runners, Kubernetes nodes, and shared build or research servers where untrusted users have local access.
2.Disable the Affected Kernel ModuleIf you cannot immediately reboot or patch the system, you can break the exploit chain by blocking the vulnerable act_pedit traffic-control module from loading.
Ubuntu / Red Hat: Check your respective package managers (apt or dnf) for the latest kernel security updates addressing CVE-2026-46331 for RHEL 8/9/10 and Ubuntu 18.04 through 26.04.Priority: Prioritize multi-tenant environments, CI/CD runners, Kubernetes nodes, and shared build or research servers where untrusted users have local access.
2.Disable the Affected Kernel ModuleIf you cannot immediately reboot or patch the system, you can break the exploit chain by blocking the vulnerable act_pedit traffic-control module from loading.
Doesn't seem to affect Fedora KDE ? Doesn't seem to have this act_pedit .
If you checked your active modules via lsmod and did not see act_pedit,Fedora KDE system could still be vulnerable.
You can verify if the module is built into your system by checking your kernel configuration file directly rather than looking at active modules. Run this command:
If it returns =m: Your system is vulnerable. The module is sitting on your disk ready to be silently auto-loaded by an exploit script.
If it returns # CONFIG_NET_ACT_PEDIT is not set: Your system is safe. The code literally does not exist in your kernel.
This may be a dumb question but I will ask anyway. I have been dual booting Linux Mint 22.2 with Windows 11. When I read about this Linux flaw I ran the grep command in Mint mentioned above, many thanks to @Captain Awesome for posting it. I got the =m result. After that I went into Firefox and Chrome in MInt and signed out of all websites and deleted my browsing history from both browsers and deleted Chrome from Mint. Then I deleted my Mint partition and used the Windows terminal with Admin command prompt to delete grub. My question is, does this Linux flaw affect Windows too? A quick scan with Windows Security did not find any problems. Thanks for any info on this.
C.H.
C.H.
@Captain Holly
If the command return "=m", you just need to prevent it from auto-loading by run this command :
don't forget to update grub or reboot to take effect.
If the command return "=m", you just need to prevent it from auto-loading by run this command :
Code:
echo 'install act_pedit /bin/true' | sudo tee /etc/modprobe.d/disable-act_pedit.conf
and (fwiw) chatGPT tells me this was issue related to kernel 7.0.9 and RH / fedora has fixed it ages ago -- that is, my notes show I was running 7.0.9 kernel 31 May but been updating fedora kinoite once or twice a week and now running 7.0.13. Plus chatGPT says this is less a concern for me given x y z... good info to know but panic not necessary. (disclaimer chatGPT can make mistakes, and I am just a user not an expert)
@Captain Awesome said:
Run this command:
grep CONFIG_NET_ACT_PEDIT /boot/config-$(uname -r)
No such file or directory -- seems sorta consistent with my previous post above, at least for me -- very good info, ChatGPT was not concerned enough to offer that check.
Run this command:
grep CONFIG_NET_ACT_PEDIT /boot/config-$(uname -r)
No such file or directory -- seems sorta consistent with my previous post above, at least for me -- very good info, ChatGPT was not concerned enough to offer that check.
No question is ever dumb when it comes to security.
No, this Linux flaw does not affect Windows 11.
Because you deleted the Linux partition and the GRUB bootloader, any potential risk from that Linux environment is completely gone. Windows operates on an entirely different architecture and is unaffected by this specific vulnerability.
Thanks for the info. I was pretty sure Windows would be safe from any problems in Linux but you can't be too careful nowadays with security. I have always had an on again-off again relationship with Linux anyway and security and the lack of any kind of antivirus or antimalware was my biggest concern with it. I never had any trouble with Mint itself but am not so sure I will use it again. Thanks for your help on this.
C.H.
You may also like...
-
Copy Fail Linux Kernel Flaw Allows Local Users to Gain Root- Started by lokamoka820
- Replies: 2
-
Fragnesia Linux Vulnerability Let Attackers Gain Root Privileges – PoC Released- Started by Brownie2019
- Replies: 1
-
New Linux 'Dirty Frag' zero-day gives root on all major distros- Started by Khushal
- Replies: 1
-
CISA warns of actively exploited Linux privilege elevation flaw- Started by Gandalf_The_Grey
- Replies: 0
-
New 'Looney Tunables' Linux bug gives root on major distros
- Started by Gandalf_The_Grey
- Replies: 2