CVE-2026-46331
Received Received - Intake
Linux Kernel Memory Corruption in Traffic Control

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: fix pedit partial COW leading to page cache corruption tcf_pedit_act() computes the COW range for skb_ensure_writable() once before the key loop using tcfp_off_max_hint, but the hint does not account for the runtime header offset added by typed keys. This can leave part of the write region un-COW'd. Fix by moving skb_ensure_writable() inside the per-key loop where the actual write offset is known, and add overflow checking on the offset arithmetic. For negative offsets (e.g. Ethernet header edits at ingress), use skb_cow() to COW the headroom instead. Guard offset_valid() against INT_MIN, where negation is undefined.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-46331
EUVD
EUVD-2026-37039
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's network scheduler, specifically in the pedit action code. The function tcf_pedit_act() calculates the copy-on-write (COW) range incorrectly because it uses a hint that does not consider runtime header offsets added by typed keys. As a result, part of the memory region that should be copied before writing remains un-copied, leading to potential page cache corruption.

The fix involves moving the writable memory check inside the loop where the exact write offset is known, adding overflow checks on offset calculations, and handling negative offsets properly by copying the headroom instead. This prevents partial COW and thus avoids corruption.

Impact Analysis

This vulnerability can lead to page cache corruption in the Linux kernel's network packet editing functionality. Such corruption could cause data integrity issues, unexpected behavior in network packet processing, or system instability. It may affect systems that rely on the Linux kernel's network scheduler and packet editing features.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46331. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart