Linux pedit COW (CVE-2026-46331): patch and hardening checklist

On June 26, 2026, security researchers publicly reported CVE-2026-46331 (pedit COW), a local privilege escalation issue in Linux net/sched act_pedit.

Reported details indicate affected kernel versions from v5.18 through v7.1-rc6, with a fix in v7.1-rc7. The public exploit write-up describes a path from unprivileged local access to root on systems where unprivileged user namespaces are available.

What to verify now

1. Kernel version on every Linux host
   • uname -r
   • Compare against your vendor advisory and patch baseline.
2. User namespace policy
   • Check whether unprivileged user namespace creation is allowed.
   • On Ubuntu, review:
     • kernel.apparmor_restrict_unprivileged_userns
     • kernel.apparmor_restrict_unprivileged_unconfined
3. Patch and reboot status
   • Confirm patched kernel packages are installed.
   • Confirm hosts are rebooted into the patched kernel.

24-hour response plan

1. Triage systems by business criticality and patch window.
2. Patch internet-facing and shared multi-user Linux systems first.
3. Restrict unprivileged user namespaces where operationally feasible.
4. Review logs for unusual namespace creation and aa-exec activity.
5. Document compensating controls for systems that cannot patch immediately.

Sources

• Cyber Security News report: New Linux pedit COW Exploit Allows Attackers to Gain System Root Access
• Public exploit reference: packet_edit_meme
• Red Hat bulletin: RHSB-2026-008

Need help fixing exposure quickly?

If your team wants help with kernel patch prioritization, hardening, and validation, contact us.