In the Linux kernel, the following vulnerability has been resolved:

net/sched: fix pedit partial COW leading to page cache corruption

tcf_pedit_act() computes the COW range for skb_ensure_writable()
once before the key loop using tcfp_off_max_hint, but the hint does
not account for the runtime header offset added by typed keys. This
can leave part of the write region un-COW'd.

Fix by moving skb_ensure_writable() inside the per-key loop where
the actual write offset is known, and add overflow checking on the
offset arithmetic. For negative offsets (e.g. Ethernet header edits
at ingress), use skb_cow() to COW the headroom instead. Guard
offset_valid() against INT_MIN, where negation is undefined.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
Linux Linux unaffected
Version Status Constraints
8b796475fd7882663a870456466a4fb315cc1bd6 affected < 899ee91156e57784090c5565e4f31bd7dbffbc5a
d0c38a914b0c4c21d553da801003d36979016726 affected
2ec2dd7d51a9320151f275ddbb2b53260fb32ca1 affected
abe35bf3be51482593076d516a680d79e5fbc8e1 affected
b773640d5bb9e2acfd91e2695717af04d47aa116 affected
c19cc520b3d69904e9518d401ad0df7f4702aca0 affected
4.19.244 affected < 4.20
5.4.195 affected < 5.5
5.10.117 affected < 5.11
5.15.41 affected < 5.16
5.17.9 affected < 5.18
Linux Linux affected
Version Status Constraints
5.18 affected
0 unaffected < 5.18
7.1 unaffected ≤ *

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors Products
Linux Subscribe
Linux Kernel Subscribe

Project Subscriptions

Vendors Products
Linux Subscribe
Linux Kernel Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://git.kernel.org/stable/c/899ee91156e57784090c5565e4f31bd7dbffbc5a cve-icon cve-icon
History

Tue, 16 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net/sched: fix pedit partial COW leading to page cache corruption tcf_pedit_act() computes the COW range for skb_ensure_writable() once before the key loop using tcfp_off_max_hint, but the hint does not account for the runtime header offset added by typed keys. This can leave part of the write region un-COW'd. Fix by moving skb_ensure_writable() inside the per-key loop where the actual write offset is known, and add overflow checking on the offset arithmetic. For negative offsets (e.g. Ethernet header edits at ingress), use skb_cow() to COW the headroom instead. Guard offset_valid() against INT_MIN, where negation is undefined.
Title net/sched: fix pedit partial COW leading to page cache corruption
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-16T06:26:21.066Z

Reserved: 2026-05-13T15:03:33.112Z

Link: CVE-2026-46331

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-16T08:16:23.993

Modified: 2026-06-16T08:16:23.993

Link: CVE-2026-46331

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T10:00:10Z

Weaknesses

No weakness.