Recently, a local privilege escalation vulnerability in the Linux kernel has been disclosed, codenamed ActPedit (also referred to as peditCOW). This vulnerability belongs to the same class of page-cache write risks as the previously reported Dirty Frag and Copy Fail. Attackers with local low-privileged execution capabilities could exploit this flaw to modify the page cache of read‑only files, thereby escalating privileges and gaining root access.
Publicly available information indicates that proof‑of‑concept (PoC) code and exploitation details have already been widely disseminated. Given its severity and broad impact, we strongly urge all users to update without delay.
Vulnerability Details
CVEID: CVE‑2026‑46331
Codename: ActPedit (pedit COW)
Description: This vulnerability resides in the Linux kernel network subsystem (net/sched) within the traffic control packet editing (pedit) module. The function tcf_pedit_act() calculates the copy‑on‑write (COW) range for the socket buffer (skb) only once outside the loop, based on tcfp_off_max_hint. This hint does not account for runtime type‑key‑appended packet header offsets, causing certain memory regions to be written without proper COW duplication. An attacker can craft malicious tc traffic rules through unprivileged user namespaces combined with CAP_NET_ADMIN capability, triggering writes to shared read‑only page cache pages that are not COW‑protected. This vulnerability does not require kernel race conditions and can reliably corrupt the page cache of setuid‑root binaries.
Severity: ⚠️⚠️⚠️ High (CVSS 7.1–7.8)
Exploitation Conditions:
The kernel must have CONFIG_NET_ACT_PEDIT enabled.
The attacker must have local low‑privileged code execution (e.g., a normal user shell, compromised service process, container process, or other restricted environment).
The risk is significantly higher when user namespaces are enabled (CONFIG_USER_NS=y and /proc/sys/kernel/unprivileged_userns_clone is set to 1), as public PoC exploits are more effective under these conditions.
The attacker can leverage unprivileged user namespaces with CAP_NET_ADMIN to create malicious tc rules and trigger the vulnerability.
Successful exploitation allows a local unprivileged user to gain full root privileges and take complete control of the system.
Affected Scope
All deepin25 users who have not applied this fix are affected. We strongly recommend updating immediately.
Fix Progress
Fordeepin25 (kernels 6.6 and 6.18): The fix for the ActPedit vulnerability has been pushed. Please update promptly via Control Center or by running the following terminal commands:
sudo apt update && sudo apt dist-upgrade
After the upgrade, rebootyour system to ensure the fix takes effect.
Additional Updates
This update also includes fixes for several known DDE (deepin Desktop Environment) issues.
That’s all for this deepin 25.1.1 official release. Thank you once again for your continued support, dear deepin community!
🔔 Dear deepin users and community members,
Recently, a local privilege escalation vulnerability in the Linux kernel has been disclosed, codenamed ActPedit (also referred to as pedit COW). This vulnerability belongs to the same class of page-cache write risks as the previously reported Dirty Frag and Copy Fail. Attackers with local low-privileged execution capabilities could exploit this flaw to modify the page cache of read‑only files, thereby escalating privileges and gaining root access.
Publicly available information indicates that proof‑of‑concept (PoC) code and exploitation details have already been widely disseminated. Given its severity and broad impact, we strongly urge all users to update without delay.
Vulnerability Details
Description: This vulnerability resides in the Linux kernel network subsystem (
net/sched) within the traffic control packet editing (pedit) module. The functiontcf_pedit_act()calculates the copy‑on‑write (COW) range for the socket buffer (skb) only once outside the loop, based ontcfp_off_max_hint. This hint does not account for runtime type‑key‑appended packet header offsets, causing certain memory regions to be written without proper COW duplication. An attacker can craft malicious tc traffic rules through unprivileged user namespaces combined withCAP_NET_ADMINcapability, triggering writes to shared read‑only page cache pages that are not COW‑protected. This vulnerability does not require kernel race conditions and can reliably corrupt the page cache of setuid‑root binaries.Severity: ⚠️⚠️⚠️ High (CVSS 7.1–7.8)
Exploitation Conditions:
CONFIG_NET_ACT_PEDITenabled.CONFIG_USER_NS=yand/proc/sys/kernel/unprivileged_userns_cloneis set to 1), as public PoC exploits are more effective under these conditions.CAP_NET_ADMINto create malicious tc rules and trigger the vulnerability.Successful exploitation allows a local unprivileged user to gain full root privileges and take complete control of the system.
Affected Scope
All deepin 25 users who have not applied this fix are affected. We strongly recommend updating immediately.
Fix Progress
For deepin 25 (kernels 6.6 and 6.18): The fix for the ActPedit vulnerability has been pushed. Please update promptly via Control Center or by running the following terminal commands:
After the upgrade, reboot your system to ensure the fix takes effect.
Additional Updates
This update also includes fixes for several known DDE (deepin Desktop Environment) issues.
That’s all for this deepin 25.1.1 official release. Thank you once again for your continued support, dear deepin community!