net/sched: fix pedit partial COW leading to page cache corruption

Summary

CVECVE-2026-46331
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-06-16 08:16:23 UTC
Updated2026-07-10 12:17:04 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: net/sched: fix pedit partial COW leading to page cache corruption tcf_pedit_act() computes the COW range for skb_ensure_writable() once before the key loop using tcfp_off_max_hint, but the hint does not account for the runtime header offset added by typed keys. This can leave part of the write region un-COW'd. Fix by moving skb_ensure_writable() inside the per-key loop where the actual write offset is known, and add overflow checking on the offset arithmetic. For negative offsets (e.g. Ethernet header edits at ingress), use skb_cow() to COW the headroom instead. Guard offset_valid() against INT_MIN, where negation is undefined.

Risk And Classification

Primary CVSS: v3.1 6.7 MEDIUM from ADP

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS: 0.003210000 probability, percentile 0.239510000 (date 2026-07-08)

Problem Types: CWE-190 | CWE-787 | CWE-787 CWE-787 Out-of-bounds Write | CWE-190 CWE-190 Integer Overflow or Wraparound | CWE-787 Out-of-bounds Write


VersionSourceTypeScoreSeverityVector
3.1ADPCVSS6.7MEDIUMCVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
3.1416baaa9-dc9f-4396-8d5f-8c081fb06d67Secondary7.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
3.10b0ca135-0b70-47e7-9f44-1890c2a1c46cSecondary6.7MEDIUMCVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
3.1CNADECLARED7.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Linux Linux Kernel All All All All

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected abe35bf3be51482593076d516a680d79e5fbc8e1 544d857b42a1734b923040e13aa61a6fd4746cf2 git Not specified
CNA Linux Linux affected b773640d5bb9e2acfd91e2695717af04d47aa116 d5d01d35a5a7d36f7cb679b67d9cbdd5205672dc git Not specified
CNA Linux Linux affected 8b796475fd7882663a870456466a4fb315cc1bd6 a071e057518decc5e3bec89855758f5f8786f2c5 git Not specified
CNA Linux Linux affected 8b796475fd7882663a870456466a4fb315cc1bd6 b685d6ef6f07a3b5ce814565a25f39f2157538a5 git Not specified
CNA Linux Linux affected 8b796475fd7882663a870456466a4fb315cc1bd6 2bec122b9fb91507a758ab5e3e5c4fbe7cb3f61b git Not specified
CNA Linux Linux affected 8b796475fd7882663a870456466a4fb315cc1bd6 b198ed4e52580a7238c7c7082f03906f8b310313 git Not specified
CNA Linux Linux affected 8b796475fd7882663a870456466a4fb315cc1bd6 3dee9d0c198faeb95d052c1b94c2958751a28512 git Not specified
CNA Linux Linux affected 8b796475fd7882663a870456466a4fb315cc1bd6 899ee91156e57784090c5565e4f31bd7dbffbc5a git Not specified
CNA Linux Linux affected d0c38a914b0c4c21d553da801003d36979016726 git Not specified
CNA Linux Linux affected 2ec2dd7d51a9320151f275ddbb2b53260fb32ca1 git Not specified
CNA Linux Linux affected c19cc520b3d69904e9518d401ad0df7f4702aca0 git Not specified
CNA Linux Linux affected 5.10.117 5.10.260 semver Not specified
CNA Linux Linux affected 5.15.41 5.15.211 semver Not specified
CNA Linux Linux affected 4.19.244 4.20 semver Not specified
CNA Linux Linux affected 5.4.195 5.5 semver Not specified
CNA Linux Linux affected 5.17.9 5.18 semver Not specified
CNA Linux Linux affected 5.18 Not specified
CNA Linux Linux unaffected 5.18 semver Not specified
CNA Linux Linux unaffected 5.10.260 5.10.* semver Not specified
CNA Linux Linux unaffected 5.15.211 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.177 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.144 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.94 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.36 6.18.* semver Not specified
CNA Linux Linux unaffected 7.0.13 7.0.* semver Not specified
CNA Linux Linux unaffected 7.1 * original_commit_for_fix Not specified
ADP Red Hat NVIDIA For RHEL 10 Not specified Not specified
ADP Red Hat Red Hat OpenShift Container Platform 4.12 Not specified Not specified
ADP Red Hat Red Hat OpenShift Container Platform 4.14 Not specified Not specified
ADP Red Hat Red Hat OpenShift Container Platform 4.15 Not specified Not specified
ADP Red Hat Red Hat OpenShift Container Platform 4.16 Not specified Not specified
ADP Red Hat Red Hat OpenShift Container Platform 4.17 Not specified Not specified
ADP Red Hat Red Hat OpenShift Container Platform 4.18 Not specified Not specified
ADP Red Hat Red Hat OpenShift Container Platform 4.19 Not specified Not specified
ADP Red Hat Red Hat OpenShift Container Platform 4.20 Not specified Not specified
ADP Red Hat Red Hat OpenShift Container Platform 4.21 Not specified Not specified
ADP Red Hat Red Hat OpenShift Container Platform 4.22 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux AppStream EUS V. 10.0 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux AppStream V. 10 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux AppStream E4S V.9.2 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux AppStream E4S V.9.4 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux AppStream EUS V.9.6 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux AppStream V. 9 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux BaseOS EUS V. 10.0 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux BaseOS V. 10 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux BaseOS V. 8 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux BaseOS AUS V.8.4 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux BaseOS EUS EXTENSION V.8.4 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux BaseOS AUS V.8.6 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux BaseOS EUS EXTENSION V.8.6 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux BaseOS E4S V.8.8 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux BaseOS TUS V.8.8 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux BaseOS E4S V.9.2 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux BaseOS E4S V.9.4 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux BaseOS EUS V.9.6 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux BaseOS V. 9 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux CodeReady Linux Builder EUS V. 10.0 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux CodeReady Linux Builder V. 10 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux CRB V. 8 Not specified Not specified
ADP Red Hat Red Hat CodeReady Linux Builder EUS V.9.6 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux CodeReady Linux Builder V. 9 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux Real Time For NFV EUS V. 10.0 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux Real Time For NFV V. 10 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux NFV V. 8 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux Real Time For NFV E4S V.9.2 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux Real Time For NFV E4S V.9.4 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux Real Time For NFV EUS V.9.6 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux Real Time For NFV V. 9 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux Real Time EUS V. 10.0 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux Real Time V. 10 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux RT V. 8 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux Real Time E4S V.9.2 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux Real Time E4S V.9.4 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux Real Time EUS V.9.6 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux Real Time V. 9 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux 10 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux 6 Not specified Not specified
ADP Red Hat Red Hat Enterprise Linux 7 Not specified Not specified

References

ReferenceSourceLinkTags
access.redhat.com/errata/RHSA-2026:33222 0b0ca135-0b70-47e7-9f44-1890c2a1c46c access.redhat.com Third Party Advisory
access.redhat.com/errata/RHSA-2026:33219 0b0ca135-0b70-47e7-9f44-1890c2a1c46c access.redhat.com Third Party Advisory
git.kernel.org/stable/c/a071e057518decc5e3bec89855758f5f8786f2c5 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/b198ed4e52580a7238c7c7082f03906f8b310313 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
access.redhat.com/errata/RHSA-2026:27706 0b0ca135-0b70-47e7-9f44-1890c2a1c46c access.redhat.com Third Party Advisory
access.redhat.com/errata/RHSA-2026:27709 0b0ca135-0b70-47e7-9f44-1890c2a1c46c access.redhat.com Third Party Advisory
access.redhat.com/errata/RHSA-2026:27789 0b0ca135-0b70-47e7-9f44-1890c2a1c46c access.redhat.com Third Party Advisory
access.redhat.com/errata/RHSA-2026:29833 0b0ca135-0b70-47e7-9f44-1890c2a1c46c access.redhat.com Third Party Advisory
security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46331.json 0b0ca135-0b70-47e7-9f44-1890c2a1c46c security.access.redhat.com Third Party Advisory
access.redhat.com/errata/RHSA-2026:29856 0b0ca135-0b70-47e7-9f44-1890c2a1c46c access.redhat.com Third Party Advisory
git.kernel.org/stable/c/544d857b42a1734b923040e13aa61a6fd4746cf2 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
access.redhat.com/errata/RHSA-2026:27704 0b0ca135-0b70-47e7-9f44-1890c2a1c46c access.redhat.com Third Party Advisory
access.redhat.com/errata/RHSA-2026:34098 0b0ca135-0b70-47e7-9f44-1890c2a1c46c access.redhat.com
git.kernel.org/stable/c/899ee91156e57784090c5565e4f31bd7dbffbc5a 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
access.redhat.com/errata/RHSA-2026:27713 0b0ca135-0b70-47e7-9f44-1890c2a1c46c access.redhat.com Third Party Advisory
access.redhat.com/errata/RHSA-2026:33225 0b0ca135-0b70-47e7-9f44-1890c2a1c46c access.redhat.com Third Party Advisory
git.kernel.org/stable/c/2bec122b9fb91507a758ab5e3e5c4fbe7cb3f61b 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
access.redhat.com/errata/RHSA-2026:33220 0b0ca135-0b70-47e7-9f44-1890c2a1c46c access.redhat.com Third Party Advisory
git.kernel.org/stable/c/3dee9d0c198faeb95d052c1b94c2958751a28512 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
access.redhat.com/errata/RHSA-2026:33666 0b0ca135-0b70-47e7-9f44-1890c2a1c46c access.redhat.com Third Party Advisory
access.redhat.com/errata/RHSA-2026:28887 0b0ca135-0b70-47e7-9f44-1890c2a1c46c access.redhat.com Third Party Advisory
access.redhat.com/errata/RHSA-2026:28962 0b0ca135-0b70-47e7-9f44-1890c2a1c46c access.redhat.com Issue Tracking
access.redhat.com/errata/RHSA-2026:27355 0b0ca135-0b70-47e7-9f44-1890c2a1c46c access.redhat.com Third Party Advisory
access.redhat.com/errata/RHSA-2026:29863 0b0ca135-0b70-47e7-9f44-1890c2a1c46c access.redhat.com Third Party Advisory
access.redhat.com/errata/RHSA-2026:27705 0b0ca135-0b70-47e7-9f44-1890c2a1c46c access.redhat.com Third Party Advisory
access.redhat.com/security/cve/CVE-2026-46331 0b0ca135-0b70-47e7-9f44-1890c2a1c46c access.redhat.com Third Party Advisory
access.redhat.com/errata/RHSA-2026:27731 0b0ca135-0b70-47e7-9f44-1890c2a1c46c access.redhat.com Third Party Advisory
git.kernel.org/stable/c/d5d01d35a5a7d36f7cb679b67d9cbdd5205672dc 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
access.redhat.com/errata/RHSA-2026:29794 0b0ca135-0b70-47e7-9f44-1890c2a1c46c access.redhat.com Third Party Advisory
access.redhat.com/errata/RHSA-2026:27354 0b0ca135-0b70-47e7-9f44-1890c2a1c46c access.redhat.com Third Party Advisory
access.redhat.com/errata/RHSA-2026:33224 0b0ca135-0b70-47e7-9f44-1890c2a1c46c access.redhat.com Third Party Advisory
access.redhat.com/errata/RHSA-2026:33221 0b0ca135-0b70-47e7-9f44-1890c2a1c46c access.redhat.com Third Party Advisory
access.redhat.com/errata/RHSA-2026:27288 0b0ca135-0b70-47e7-9f44-1890c2a1c46c access.redhat.com Third Party Advisory
access.redhat.com/errata/RHSA-2026:27353 0b0ca135-0b70-47e7-9f44-1890c2a1c46c access.redhat.com Third Party Advisory
github.com/sgkdev/packet_edit_meme/tree/main 134c704f-9b21-4f2e-91b3-4a467353bcc0 github.com Third Party Advisory
git.kernel.org/stable/c/b685d6ef6f07a3b5ce814565a25f39f2157538a5 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
access.redhat.com/errata/RHSA-2026:29799 0b0ca135-0b70-47e7-9f44-1890c2a1c46c access.redhat.com Third Party Advisory
access.redhat.com/errata/RHSA-2026:29080 0b0ca135-0b70-47e7-9f44-1890c2a1c46c access.redhat.com Third Party Advisory
access.redhat.com/errata/RHSA-2026:33223 0b0ca135-0b70-47e7-9f44-1890c2a1c46c access.redhat.com Third Party Advisory
access.redhat.com/errata/RHSA-2026:34048 0b0ca135-0b70-47e7-9f44-1890c2a1c46c access.redhat.com
access.redhat.com/errata/RHSA-2026:27708 0b0ca135-0b70-47e7-9f44-1890c2a1c46c access.redhat.com Third Party Advisory
bugzilla.redhat.com/show_bug.cgi 0b0ca135-0b70-47e7-9f44-1890c2a1c46c bugzilla.redhat.com Third Party Advisory
access.redhat.com/errata/RHSA-2026:27707 0b0ca135-0b70-47e7-9f44-1890c2a1c46c access.redhat.com Third Party Advisory
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Additional Advisory Data

SourceTimeEvent
ADP2026-05-18T06:17:23.219ZReported to Red Hat.
ADP2026-05-18T04:04:00.000ZMade public.

Solutions

ADP: RHSA-2026:27709: NVIDIA for RHEL 10

ADP: RHSA-2026:33666: NVIDIA for RHEL 10

ADP: RHSA-2026:34048: Red Hat OpenShift Container Platform 4.12

ADP: RHSA-2026:28887: Red Hat OpenShift Container Platform 4.14

ADP: RHSA-2026:28962: Red Hat OpenShift Container Platform 4.15

ADP: RHSA-2026:29080: Red Hat OpenShift Container Platform 4.16

ADP: RHSA-2026:34098: Red Hat OpenShift Container Platform 4.17

ADP: RHSA-2026:29856: Red Hat OpenShift Container Platform 4.18

ADP: RHSA-2026:29863: Red Hat OpenShift Container Platform 4.19

ADP: RHSA-2026:29799: Red Hat OpenShift Container Platform 4.20

ADP: RHSA-2026:29833: Red Hat OpenShift Container Platform 4.21

ADP: RHSA-2026:29794: Red Hat OpenShift Container Platform 4.22

ADP: RHSA-2026:27731: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0), Red Hat Enterprise Linux Real Time EUS (v. 10.0), Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)

ADP: RHSA-2026:27288: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)

ADP: RHSA-2026:27705: Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux BaseOS E4S (v.9.2)

ADP: RHSA-2026:27713: Red Hat Enterprise Linux AppStream E4S (v.9.4), Red Hat Enterprise Linux BaseOS E4S (v.9.4), Red Hat Enterprise Linux Real Time E4S (v.9.4), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.4)

ADP: RHSA-2026:27708: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)

ADP: RHSA-2026:27789: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)

ADP: RHSA-2026:33225: Red Hat Enterprise Linux BaseOS (v. 10)

ADP: RHSA-2026:27353: Red Hat Enterprise Linux BaseOS (v. 8), Red Hat Enterprise Linux CRB (v. 8)

ADP: RHSA-2026:33220: Red Hat Enterprise Linux BaseOS (v. 8)

ADP: RHSA-2026:27707: Red Hat Enterprise Linux BaseOS AUS (v.8.4), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)

ADP: RHSA-2026:27704: Red Hat Enterprise Linux BaseOS AUS (v.8.6), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6)

ADP: RHSA-2026:27355: Red Hat Enterprise Linux BaseOS E4S (v.8.8), Red Hat Enterprise Linux BaseOS TUS (v.8.8)

ADP: RHSA-2026:33219: Red Hat Enterprise Linux BaseOS E4S (v.8.8)

ADP: RHSA-2026:33221: Red Hat Enterprise Linux BaseOS E4S (v.9.2)

ADP: RHSA-2026:33222: Red Hat Enterprise Linux BaseOS E4S (v.9.4)

ADP: RHSA-2026:33223: Red Hat Enterprise Linux BaseOS EUS (v.9.6)

ADP: RHSA-2026:33224: Red Hat Enterprise Linux BaseOS (v. 9)

ADP: RHSA-2026:27354: Red Hat Enterprise Linux NFV (v. 8), Red Hat Enterprise Linux RT (v. 8)

ADP: RHSA-2026:27706: Red Hat Enterprise Linux Real Time E4S (v.9.2), Red Hat Enterprise Linux Real Time for NFV E4S (v.9.2)

Workarounds

ADP: See the security bulletin for a detailed mitigation procedure.

© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report