In the Linux kernel, the following vulnerability has been resolved: net/sched: fix pedit partial COW leading to page cache corruption tcf_pedit_act() computes the COW range for skb_ensure_writable() once before the key loop using tcfp_off_max_hint, but the hint does not account for the runtime header offset added by typed keys. This can leave part of the write region un-COW'd. Fix by moving skb_ensure_writable() inside the per-key loop where the actual write offset is known, and add overflow checking on the offset arithmetic. For negative offsets (e.g. Ethernet header edits at ingress), use skb_cow() to COW the headroom instead. Guard offset_valid() against INT_MIN, where negation is undefined.
| Version | Base score | Base severity | Vector |
|---|---|---|---|
| 3.1 | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CAPEC ID | Description |
|---|
| Event | Date |
|---|
| Version | Base score | Base severity | Vector |
|---|
| CAPEC ID | Description |
|---|
| Event | Date |
|---|
| Hyperlink | Resource |
|---|---|
| https://github.com/sgkdev/packet_edit_meme/tree/main | exploit |
A flaw was found in the Linux kernel's traffic control packet editing (pedit) subsystem. In tcf_pedit_act(), the copy-on-write (COW) range for skb_ensure_writable() is computed once before iterating over edit keys, but the calculation does not account for runtime header offsets added by typed keys. This can leave part of the target write region without a proper copy-on-write, leading to an out-of-bounds write that corrupts page cache memory. A local attacker with the ability to configure traffic control rules could exploit this to escalate privileges or crash the system.
| Version | Base score | Base severity | Vector |
|---|---|---|---|
| 3.1 | 6.7 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| CAPEC ID | Description |
|---|
RHSA-2026:27709: NVIDIA for RHEL 10
RHSA-2026:33666: NVIDIA for RHEL 10
RHSA-2026:28887: Red Hat OpenShift Container Platform 4.14
RHSA-2026:29080: Red Hat OpenShift Container Platform 4.16
RHSA-2026:29856: Red Hat OpenShift Container Platform 4.18
RHSA-2026:29863: Red Hat OpenShift Container Platform 4.19
RHSA-2026:29799: Red Hat OpenShift Container Platform 4.20
RHSA-2026:29833: Red Hat OpenShift Container Platform 4.21
RHSA-2026:29794: Red Hat OpenShift Container Platform 4.22
RHSA-2026:27731: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0), Red Hat Enterprise Linux Real Time EUS (v. 10.0), Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)
RHSA-2026:27288: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)
RHSA-2026:27705: Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux BaseOS E4S (v.9.2)
RHSA-2026:27713: Red Hat Enterprise Linux AppStream E4S (v.9.4), Red Hat Enterprise Linux BaseOS E4S (v.9.4), Red Hat Enterprise Linux Real Time E4S (v.9.4), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)
RHSA-2026:27708: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)
RHSA-2026:27789: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)
RHSA-2026:33225: Red Hat Enterprise Linux BaseOS (v. 10)
RHSA-2026:27353: Red Hat Enterprise Linux BaseOS (v. 8), Red Hat Enterprise Linux CRB (v. 8)
RHSA-2026:33220: Red Hat Enterprise Linux BaseOS (v. 8)
RHSA-2026:27707: Red Hat Enterprise Linux BaseOS AUS (v.8.4), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)
RHSA-2026:27704: Red Hat Enterprise Linux BaseOS AUS (v.8.6), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6)
RHSA-2026:27355: Red Hat Enterprise Linux BaseOS E4S (v.8.8), Red Hat Enterprise Linux BaseOS TUS (v.8.8)
RHSA-2026:33219: Red Hat Enterprise Linux BaseOS E4S (v.8.8)
RHSA-2026:33221: Red Hat Enterprise Linux BaseOS E4S (v.9.2)
RHSA-2026:33222: Red Hat Enterprise Linux BaseOS E4S (v.9.4)
RHSA-2026:33223: Red Hat Enterprise Linux BaseOS EUS (v.9.6)
RHSA-2026:33224: Red Hat Enterprise Linux BaseOS (v. 9)
RHSA-2026:27354: Red Hat Enterprise Linux NFV (v. 8), Red Hat Enterprise Linux RT (v. 8)
RHSA-2026:27706: Red Hat Enterprise Linux Real Time E4S (v.9.2), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)
See the security bulletin for a detailed mitigation procedure.
| Event | Date |
|---|---|
| Reported to Red Hat. | 2026-05-18 06:17:23 |
| Made public. | 2026-05-18 04:04:00 |