{
  "threat_severity" : "Important",
  "public_date" : "2026-05-18T04:04:00Z",
  "bugzilla" : {
    "description" : "kernel: net/sched: act_pedit: extend the writable skb range per key",
    "id" : "2479492",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2479492"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-787",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet/sched: fix pedit partial COW leading to page cache corruption\ntcf_pedit_act() computes the COW range for skb_ensure_writable()\nonce before the key loop using tcfp_off_max_hint, but the hint does\nnot account for the runtime header offset added by typed keys. This\ncan leave part of the write region un-COW'd.\nFix by moving skb_ensure_writable() inside the per-key loop where\nthe actual write offset is known, and add overflow checking on the\noffset arithmetic. For negative offsets (e.g. Ethernet header edits\nat ingress), use skb_cow() to COW the headroom instead. Guard\noffset_valid() against INT_MIN, where negation is undefined.", "A flaw was found in the Linux kernel's traffic control packet editing (pedit) subsystem. In tcf_pedit_act(), the copy-on-write (COW) range for skb_ensure_writable() is computed once before iterating over edit keys, but the calculation does not account for runtime header offsets added by typed keys. This can leave part of the target write region without a proper copy-on-write, leading to an out-of-bounds write that corrupts page cache memory. A local attacker with the ability to configure traffic control rules could exploit this to escalate privileges or crash the system." ],
  "statement" : "Red Hat rates this flaw as Important severity.\nThis vulnerability is in the kernel's traffic control (tc) pedit action, which requires CAP_NET_ADMIN capability to configure. By default in Red Hat Enterprise Linux, this limits exploitation to the root user or processes explicitly granted network administration capabilities. However, in some circumstances unprivileged users may obtain CAP_NET_ADMIN within user namespaces. Successful exploitation could lead to arbitrary code execution in kernel context or a system crash.\nRed Hat Enterprise Linux 7 and earlier are not affected.",
  "affected_release" : [ {
    "product_name" : "NVIDIA for RHEL 10",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:27709",
    "cpe" : "cpe:/a:redhat:enterprise_linux_nvidia:10::el10",
    "package" : "kernel-0:6.12.0-212.11.el10nv"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-06-20T00:00:00Z",
    "advisory" : "RHSA-2026:27288",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.2",
    "package" : "kernel-0:6.12.0-211.26.1.el10_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:27731",
    "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0",
    "package" : "kernel-0:6.12.0-55.82.1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-06-19T00:00:00Z",
    "advisory" : "RHSA-2026:27354",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.136.1.rt7.477.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-06-19T00:00:00Z",
    "advisory" : "RHSA-2026:27353",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.136.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:27707",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.4",
    "package" : "kernel-0:4.18.0-305.195.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:27707",
    "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4",
    "package" : "kernel-0:4.18.0-305.195.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:27704",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.6",
    "package" : "kernel-0:4.18.0-372.197.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support Long-Life Add-On",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:27704",
    "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.6",
    "package" : "kernel-0:4.18.0-372.197.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
    "release_date" : "2026-06-19T00:00:00Z",
    "advisory" : "RHSA-2026:27355",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.8",
    "package" : "kernel-0:4.18.0-477.148.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "release_date" : "2026-06-19T00:00:00Z",
    "advisory" : "RHSA-2026:27355",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.8",
    "package" : "kernel-0:4.18.0-477.148.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:27789",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-687.17.1.el9_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:27789",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-687.17.1.el9_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:27705",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2",
    "package" : "kernel-0:5.14.0-284.177.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:27706",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv",
    "package" : "kernel-rt-0:5.14.0-284.177.1.rt14.462.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Update Services for SAP Solutions",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:27713",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.4",
    "package" : "kernel-0:5.14.0-427.134.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:27708",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.6",
    "package" : "kernel-0:5.14.0-570.123.1.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "libkrun",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "rhcos",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-46331\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-46331\nhttps://lore.kernel.org/netdev/20260516162825.1480113-1-rollkingzzc@gmail.com/" ],
  "csaw" : true,
  "name" : "CVE-2026-46331",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent the affected modules from loading by using a blacklist mechanism. This will ensure the modules are not loaded at boot time.\n`echo \"blacklist act_pedit\" > /etc/modprobe.d/blacklist-act-pedit.conf`\nIf the module is currently loaded, unload it or reboot for the blacklist to take effect. For additional guidance for unloading kernel modules, see https://access.redhat.com/solutions/41278.",
    "lang" : "en:us"
  }
}