Home

Description

In the Linux kernel, the following vulnerability has been resolved: net/sched: fix pedit partial COW leading to page cache corruption tcf_pedit_act() computes the COW range for skb_ensure_writable() once before the key loop using tcfp_off_max_hint, but the hint does not account for the runtime header offset added by typed keys. This can leave part of the write region un-COW'd. Fix by moving skb_ensure_writable() inside the per-key loop where the actual write offset is known, and add overflow checking on the offset arithmetic. For negative offsets (e.g. Ethernet header edits at ingress), use skb_cow() to COW the headroom instead. Guard offset_valid() against INT_MIN, where negation is undefined.

PUBLISHED Reserved 2026-05-13 | Published 2026-06-16 | Updated 2026-06-16 | Assigner Linux

Product status

Default status
unaffected

8b796475fd7882663a870456466a4fb315cc1bd6 (git) before 899ee91156e57784090c5565e4f31bd7dbffbc5a
affected

d0c38a914b0c4c21d553da801003d36979016726 (git)
affected

2ec2dd7d51a9320151f275ddbb2b53260fb32ca1 (git)
affected

abe35bf3be51482593076d516a680d79e5fbc8e1 (git)
affected

b773640d5bb9e2acfd91e2695717af04d47aa116 (git)
affected

c19cc520b3d69904e9518d401ad0df7f4702aca0 (git)
affected

4.19.244 (semver) before 4.20
affected

5.4.195 (semver) before 5.5
affected

5.10.117 (semver) before 5.11
affected

5.15.41 (semver) before 5.16
affected

5.17.9 (semver) before 5.18
affected

Default status
affected

5.18
affected

Any version before 5.18
unaffected

7.1 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/899ee91156e57784090c5565e4f31bd7dbffbc5a

cve.org (CVE-2026-46331)

nvd.nist.gov (CVE-2026-46331)

Download JSON