A recently disclosed vulnerability in the Linux kernel combines a Copy-on-Write (COW) page-cache corruption flaw with the ‘net/sched’ subsystem’s ‘act_pedit’ component, enabling unprivileged local attackers to escalate their privileges to full root access on several major Linux distributions.
The exploit, known as ‘packet_edit_meme,’ has been verified as of June 2026 against actively maintained enterprise and consumer kernels. The underlying issue is a partial-COW page-cache corruption bug introduced in kernel commit ‘899ee91156e5,’ affecting Linux kernel versions from v5.18 through v7.1-rc6. This flaw has been addressed in v7.1-rc7. The vulnerability resides in the ‘net/sched act_pedit’ subsystem, a traffic editing component of the Linux traffic control (tc) framework.
The attack sequence involves creating a user namespace child process with ‘CAP_NET_ADMIN’ capabilities—a permission accessible by unprivileged users on systems where unprivileged user namespaces are enabled by default. The exploit then utilizes the COW corruption primitive to overwrite the page-cached ELF entry point of the setuid-root binary ‘/bin/su,’ injecting shellcode that executes ‘setgid(0)’ + ‘setuid(0)’ + ‘execve(“/bin/sh”)’—effectively granting the attacker a root shell.
This vulnerability is the fourth recent privilege escalation issue disclosed in Linux systems. Previous vulnerabilities include:
- Copy Fail (CVE-2026-31431): Disclosed on April 30, 2026, affecting the ‘algif_aead’ (AF_ALG crypto) subsystem, allowing a 4-byte page-cache write without requiring root access.
- DirtyFrag (CVE-2026-43284 / CVE-2026-43500): Disclosed on May 8, 2026, impacting the IPsec ESP (xfrm) and RxRPC subsystems, providing a full write primitive through a chained exploit without root access.
- Fragnesia (CVE-2026-46300): Disclosed on May 14, 2026, targeting the XFRM ESP-in-TCP subsystem, enabling arbitrary byte write without root access.
Testing has confirmed successful exploitation on multiple widely used distributions:
| Distribution | Kernel | Flag | Result |
|---|---|---|---|
| RHEL 10.0 | 6.12.0-228.el10 | None | ROOT |
| Debian 13 (Trixie) | 6.12.90+deb13.1 | None | ROOT |
| Ubuntu 24.04.4 | 6.17.0-22 | –ubuntu | ROOT |
| Ubuntu 26.04 | 7.0.0-14-generic | –ubuntu | FAIL |
RHEL and Debian are immediately vulnerable without any flags, as both distributions enable unprivileged user namespaces by default. Notably, RHEL lacks ‘cls_basic’ and ’em_meta’ modules, but the exploit automatically falls back to ‘matchall’ to achieve the same corruption primitive.
Ubuntu enforces two sysctls that restrict unprivileged user namespace creation:
- ‘kernel.apparmor_restrict_unprivileged_userns’—blocks unconfined user namespace creation.
- ‘kernel.apparmor_restrict_unprivileged_unconfined’—prevents ‘aa-exec’ permissive profiles from bypassing the restriction.
The ‘–ubuntu’ flag re-executes the exploit via ‘aa-exec’ using permissive profiles such as ‘trinity,’ ‘chrome,’ or ‘flatpak,’ which include a ‘userns’ rule, effectively bypassing the AppArmor restriction. This bypass is effective on Ubuntu 24.04.4 (‘unconfined=0’) but is blocked on Ubuntu 26.04 (‘unconfined=1’), which has tightened the restriction to prevent this re-execution path entirely.
Red Hat has issued an official security bulletin advising administrators to apply kernel patches immediately, restrict unprivileged user namespace creation via sysctl where operationally feasible, and monitor for unexpected ‘aa-exec’ invocations or namespace creations.
This vulnerability underscores the critical importance of timely patching and vigilant system monitoring. As attackers continue to exploit complex kernel flaws, system administrators must stay proactive in applying security updates and implementing robust access controls to mitigate potential threats.
