Skip to main content
Room Banner
Back to all walkthroughs
Room Icon

CVE-2026-46331: pedit COW

Max room.

Exploit pedit COW, a copy-on-write flaw in the Linux kernel's packet-editing action.

easy

30 min

13

User profile photo.
User profile photo.

To access material, start machines and answer questions login.

Local privilege escalation on usually means finding a memory-corruption bug in a driver, defeating kernel address randomisation, and hoping the target kernel matches your offsets. -2026-46331, nicknamed pedit COW, sidesteps most of that. An unprivileged user with no special group membership overwrites the in-memory copy of a setuid-root binary and receives a root shell, and the file on disk is never touched.

The flaw sits in the kernel's traffic-control subsystem, in the packet-editing action known as act_pedit. A single stale bounds check lets a crafted packet-editing rule write past its private working copy and into a shared page-cache page. When that page holds the cached image of a setuid binary, such as /usr/bin/su, the binary's behaviour changes for every process that runs it, while file-integrity monitoring that hashes the on-disk copy reports nothing wrong.

pedit COW belongs to a family of Linux kernel bugs that all share one shape, where a fast path writes into a page it does not exclusively own and the page cache takes the corruption. Dirty Pipe first demonstrated the pattern, and the Copy Fail and Dirty Frag rooms repeated it in other subsystems. What is new in pedit COW is the entry point. Configuring a traffic-control action normally requires the CAP_NET_ADMIN capability, which an ordinary user does not hold. Unprivileged user namespaces hand that capability to any local user inside a namespace of their own, which is all the exploit needs.

The culprit commit landed in kernel v5.18, so every distribution shipping a kernel between v5.18 and the v7.1-rc7 fix is affected unless it has been patched or hardened. Red Hat rates the flaw as important, and a working, public exploit appeared within a day of the CVE being assigned.

Learning Objectives

By the end of this room, you will be able to:

  • Explain how the traffic-control subsystem uses queueing disciplines, filters, and actions to process packets.
  • Describe how the act_pedit copy-on-write flaw writes into the page cache and why the on-disk file stays intact.
  • Understand how unprivileged user namespaces supply the CAP_NET_ADMIN capability the exploit relies on.
  • Build the page-cache write primitive and confirm it overwrites a read-only file.
  • Escalate from an unprivileged shell to root by poisoning a cached setuid binary.
  • Recognise why file-integrity monitoring misses this attack and which controls actually stop it.

Prerequisites

Working through this room is easier with a basic understanding of the Linux command line, file permissions and the setuid bit, and the general idea of how TCP carries data across a network. No prior kernel-exploitation experience is assumed.

Deploying the machine

Start the machine with the Start Lab Machine button below and allow a minute or two for it to boot.

Set up your virtual environment

To successfully complete this room, you'll need to set up your virtual environment. This involves starting the Target Machine, ensuring you're equipped with the necessary tools and access to tackle the challenges ahead.
Lab machine
Status:Off

Once it has booted, the room opens a split-view terminal in your browser that is already logged in as the unprivileged user karen, so no manual connection is needed to follow along. If you would rather work from your own terminal over SSH, the credentials are given at the start of Task 4. Running id confirms the context you land in.

karen@pedit-cow:~$ id
uid=1001(karen) gid=1001(karen) groups=1001(karen)

The karen account holds no privileged group membership and cannot read root-owned files. The objective is to read the flag stored at /root/flag.txt, which karen cannot access as things stand.

Answer the questions below

I have successfully started my machine.