net/sched: fix pedit partial COW leading to page cache corruption

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

net/sched: fix pedit partial COW leading to page cache corruption

tcf_pedit_act() computes the COW range for skb_ensure_writable()
once before the key loop using tcfp_off_max_hint, but the hint does
not account for the runtime header offset added by typed keys. This
can leave part of the write region un-COW'd.

Fix by moving skb_ensure_writable() inside the per-key loop where
the actual write offset is known, and add overflow checking on the
offset arithmetic. For negative offsets (e.g. Ethernet header edits
at ingress), use skb_cow() to COW the headroom instead. Guard
offset_valid() against INT_MIN, where negation is undefined.

Basic Information

ID CVE-2026-46331

Source Linux

Published Jun 16, 2026 at 06:26

Modified Jun 28, 2026 at 06:36

Affected Product

Vendor Linux

Product Linux

Version 8b796475fd7882663a870456466a4fb315cc1bd6

Affected Versions Linux Linux 8b796475fd7882663a870456466a4fb315cc1bd6
Linux Linux 8b796475fd7882663a870456466a4fb315cc1bd6
Linux Linux 8b796475fd7882663a870456466a4fb315cc1bd6
Linux Linux 8b796475fd7882663a870456466a4fb315cc1bd6
Linux Linux d0c38a914b0c4c21d553da801003d36979016726
Linux Linux 2ec2dd7d51a9320151f275ddbb2b53260fb32ca1
Linux Linux abe35bf3be51482593076d516a680d79e5fbc8e1
Linux Linux b773640d5bb9e2acfd91e2695717af04d47aa116
Linux Linux c19cc520b3d69904e9518d401ad0df7f4702aca0
Linux Linux 4.19.244
Linux Linux 5.4.195
Linux Linux 5.10.117
Linux Linux 5.15.41
Linux Linux 5.17.9
Linux Linux 5.18

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: fix pedit partial COW leading to page cache corruption\n\ntcf_pedit_act() computes the COW range for skb_ensure_writable()\nonce before the key loop using tcfp_off_max_hint, but the hint does\nnot account for the runtime header offset added by typed keys. This\ncan leave part of the write region un-COW'd.\n\nFix by moving skb_ensure_writable() inside the per-key loop where\nthe actual write offset is known, and add overflow checking on the\noffset arithmetic. For negative offsets (e.g. Ethernet header edits\nat ingress), use skb_cow() to COW the headroom instead. Guard\noffset_valid() against INT_MIN, where negation is undefined.",
    "published": "2026-06-16T06:26:21.066Z",
    "modified": "2026-06-28T06:36:22.892Z",
    "type": "cve",
    "title": "net/sched: fix pedit partial COW leading to page cache corruption",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/2bec122b9fb91507a758ab5e3e5c4fbe7cb3f61b\nhttps://git.kernel.org/stable/c/b198ed4e52580a7238c7c7082f03906f8b310313\nhttps://git.kernel.org/stable/c/3dee9d0c198faeb95d052c1b94c2958751a28512\nhttps://git.kernel.org/stable/c/899ee91156e57784090c5565e4f31bd7dbffbc5a",
    "id": "CVE-2026-46331",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 8b796475fd7882663a870456466a4fb315cc1bd6\nLinux Linux 8b796475fd7882663a870456466a4fb315cc1bd6\nLinux Linux 8b796475fd7882663a870456466a4fb315cc1bd6\nLinux Linux 8b796475fd7882663a870456466a4fb315cc1bd6\nLinux Linux d0c38a914b0c4c21d553da801003d36979016726\nLinux Linux 2ec2dd7d51a9320151f275ddbb2b53260fb32ca1\nLinux Linux abe35bf3be51482593076d516a680d79e5fbc8e1\nLinux Linux b773640d5bb9e2acfd91e2695717af04d47aa116\nLinux Linux c19cc520b3d69904e9518d401ad0df7f4702aca0\nLinux Linux 4.19.244\nLinux Linux 5.4.195\nLinux Linux 5.10.117\nLinux Linux 5.15.41\nLinux Linux 5.17.9\nLinux Linux 5.18",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "8b796475fd7882663a870456466a4fb315cc1bd6",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

net/sched: fix pedit partial COW leading to page cache corruption_CVE-2026-46331

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply