CVE-2026-46331— net/sched: fix pedit partial COW leading to page cache corruption
In-the-Wild Activity Observed github_trending · high
Possible ATT&CK Techniques 1AI
T1200 · Hardware AdditionsAffected Version Matrix 20
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 8b796475fd7882663a870456466a4fb315cc1bd6< 2bec122b9fb91507a758ab5e3e5c4fbe7cb3f61b | affected |
8b796475fd7882663a870456466a4fb315cc1bd6< b198ed4e52580a7238c7c7082f03906f8b310313 | affected | ||
8b796475fd7882663a870456466a4fb315cc1bd6< 3dee9d0c198faeb95d052c1b94c2958751a28512 | affected | ||
8b796475fd7882663a870456466a4fb315cc1bd6< 899ee91156e57784090c5565e4f31bd7dbffbc5a | affected | ||
d0c38a914b0c4c21d553da801003d36979016726 | affected | ||
2ec2dd7d51a9320151f275ddbb2b53260fb32ca1 | affected | ||
abe35bf3be51482593076d516a680d79e5fbc8e1 | affected | ||
b773640d5bb9e2acfd91e2695717af04d47aa116 | affected | ||
| … +12 more rows | |||
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-46331
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
net/sched: fix pedit partial COW leading to page cache corruption
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: fix pedit partial COW leading to page cache corruption tcf_pedit_act() computes the COW range for skb_ensure_writable() once before the key loop using tcfp_off_max_hint, but the hint does not account for the runtime header offset added by typed keys. This can leave part of the write region un-COW'd. Fix by moving skb_ensure_writable() inside the per-key loop where the actual write offset is known, and add overflow checking on the offset arithmetic. For negative offsets (e.g. Ethernet header edits at ingress), use skb_cow() to COW the headroom instead. Guard offset_valid() against INT_MIN, where negation is undefined.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-46331
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-46331
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-46331 (3)
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-53277
KVM: arm64: Take the SRCU lock for page table walks in fault - CVE-2026-53276
Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer - CVE-2026-53275
ipv6: mcast: Fix use-after-free when processing MLD queries - CVE-2026-53274
net/smc: fix sleep-inside-lock in __smc_setsockopt() causing - CVE-2026-53273
tee: optee: prevent use-after-free when the client exits bef
Same vendor: Linux
- CVE-2026-53277
KVM: arm64: Take the SRCU lock for page table walks in fault - CVE-2026-53276
Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer - CVE-2026-53275
ipv6: mcast: Fix use-after-free when processing MLD queries - CVE-2026-53274
net/smc: fix sleep-inside-lock in __smc_setsockopt() causing - CVE-2026-53273
tee: optee: prevent use-after-free when the client exits bef
V. Comments for CVE-2026-46331
No comments yet