CVE-2026-46331
Undergoing Analysis Undergoing Analysis - In Progress

Linux Kernel Memory Corruption in Traffic Control

Vulnerability report for CVE-2026-46331, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-16

Last updated on: 2026-07-04

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: net/sched: fix pedit partial COW leading to page cache corruption tcf_pedit_act() computes the COW range for skb_ensure_writable() once before the key loop using tcfp_off_max_hint, but the hint does not account for the runtime header offset added by typed keys. This can leave part of the write region un-COW'd. Fix by moving skb_ensure_writable() inside the per-key loop where the actual write offset is known, and add overflow checking on the offset arithmetic. For negative offsets (e.g. Ethernet header edits at ingress), use skb_cow() to COW the headroom instead. Guard offset_valid() against INT_MIN, where negation is undefined.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-16
Last Modified
2026-07-04
Generated
2026-07-06
AI Q&A
2026-06-16
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's network scheduler, specifically in the pedit action code. The function tcf_pedit_act() calculates the copy-on-write (COW) range incorrectly because it uses a hint that does not consider runtime header offsets added by typed keys. As a result, part of the memory region that should be copied before writing remains un-copied, leading to potential page cache corruption.

The fix involves moving the writable memory check inside the loop where the exact write offset is known, adding overflow checks on offset calculations, and handling negative offsets properly by copying the headroom instead. This prevents partial COW and thus avoids corruption.

Impact Analysis

This vulnerability can lead to page cache corruption in the Linux kernel's network packet editing functionality. Such corruption could cause data integrity issues, unexpected behavior in network packet processing, or system instability. It may affect systems that rely on the Linux kernel's network scheduler and packet editing features.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46331. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart