PeditCOW (CVE-2026-46331)

Document Version: 1.0
Severity: High (CVE), Low (TrueNAS Impact)

CVE-2026-46331 is a Linux kernel vulnerability in the Traffic Control (TC) act_pedit action. The pedit COW range is computed once before the key loop using a stale hint that does not account for runtime header offsets from typed keys. This leaves part of the write region un-COW’d, allowing writes to reach page-cache pages directly and corrupt root-owned read-only files.

Internal testing on TrueNAS 25.10.3.1 confirms the underlying primitive works, but all system binaries reside on ZFS, which does not expose page-cache pages to this attack path. The exploit fails on ZFS-backed files.

TrueNAS Impact: LOW — Primitive confirmed functional; exploitation of SUID binaries blocked by ZFS filesystem architecture. Fix is available and should be applied.

tcf_pedit_act() in net/sched/act_pedit.c computes the COW range for skb_ensure_writable() once before the key loop using tcfp_off_max_hint. For typed pedit keys (e.g., TCA_PEDIT_KEY_EX_HDR_TYPE_TCP), the actual write offset includes a runtime header offset that tcfp_off_max_hint does not account for. The effective write range therefore extends beyond what was COW’d.

When the un-COW’d bytes are backed by page-cache pages (as occurs when sendfile() places file pages directly into skb fragments), pedit writes directly into those pages, corrupting the file’s on-disk representation in the kernel’s page cache.

The first (NETWORK) key inflates the IP IHL field, shifting subsequent TCP key writes past the stale COW boundary into the sendfile-sourced page-cache fragments.

• Type: Page cache corruption → local privilege escalation (LPE) or arbitrary file modification
• CVSS: 7.8 HIGH — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
• Attack Vector: Local, low privilege (user namespaces required for TC rule creation)
• Active Exploitation: Not in CISA KEV catalog
• Introduced: Linux 5.18

1. Unprivileged user creates a new user + network namespace (unshare -rn), acquiring CAP_NET_ADMIN over an isolated loopback interface
2. Attacker installs a TC clsact egress pedit filter on lo with a crafted two-key rule: a NETWORK key that inflates IP IHL, followed by a TCP key targeting the desired file offset
3. sendfile() sends the target file over the loopback connection; file pages enter the skb as fragments
4. Pedit writes past the COW’d region into the page-cache pages backing the file
5. Attacker exec’s the modified SUID binary to obtain a root shell

Testing was conducted on TrueNAS 25.10.3.1 using a proof-of-concept exploit:

Primitive verification (test_cve):

[*] target /tmp/cve_target (4096 bytes), opened O_RDONLY (fd=3); running 10 writes
    [ 0] off=  16 size= 4  OK
    ...
    [ 9] off=3500 size= 4  OK
[=] 10/10 writes verified through the read-only fd

The page-cache write primitive is confirmed working on files located on tmpfs (/tmp).

Full exploit against /bin/su:

The exploit reports successful corruption ([+] su entry overwritten) but the target binary executes normally. Verification via dd confirmed the page-cache bytes at the entry offset were not modified:

$ dd if=/bin/su bs=1 skip=14608 count=48 status=none | od -x
0000000 ed31 8949 5ed1 8948 ...   ← original _start bytes, not shellcode

Root cause: /bin/su and all system binaries reside on ZFS (boot-pool/ROOT/25.10.3.1/usr, type zfs). ZFS uses its own Adaptive Replacement Cache (ARC), and sendfile() over a ZFS-backed file does not place ZFS ARC pages directly into skb fragments in the same way tmpfs does. The pedit write reaches a copied buffer rather than the ZFS file’s page-cache representation. The file on disk is unchanged.

/tmp    → tmpfs   → VULNERABLE (primitive works)
/usr    → zfs     → PROTECTED  (exploit fails, file unmodified)
/bin    → zfs     → PROTECTED  (symlink into /usr)

All SUID-root binaries on a stock TrueNAS system reside under the ZFS root pool. An attacker would need a SUID-root binary on tmpfs to complete the privilege escalation, which does not exist in a default TrueNAS deployment.

• Affects all Linux distributions using traditional filesystems (ext4, xfs, btrfs)
• Exploit primitive is reliable and deterministic (10/10 success rate)
• Unprivileged user namespaces are enabled on most distributions
• Affects Linux 5.18 through 6.12.93 / 6.18.35 / 7.0.12

• ZFS filesystem architecture prevents exploitation of system binaries
• Confirmed through direct testing on TrueNAS 25.10.3.1
• Stock deployments have no SUID binaries on tmpfs
• Kernel bug is real and the fix should still be applied

• TrueNAS dev / 25.10.4+: Fix available in update-6.18-kernel branch (v6.18.37 merge, commit b198ed4e5258). Apply when branch merges to main.
• TrueNAS 25.10.x: Fix in 6.12.94; targeted for 25.10.5.

1. Apply kernel update when available — while ZFS provides practical protection, the kernel bug should be fixed.
2. Do not create SUID binaries under /tmp — this would bypass the ZFS protection.
3. Restrict local shell access — the attack requires a local unprivileged shell session.

No module blacklist is available for this vulnerability (TC pedit is a core networking component). The primary mitigations are the ZFS filesystem architecture and applying the kernel fix.

• CVE-2026-46331: net/sched: fix pedit partial COW leading to page cache corruption
• Affected files: net/sched/act_pedit.c, include/net/tc_act/tc_pedit.h
• Fix (6.18 series): b198ed4e5258 — merged in v6.18.36
• Fix (6.12 series): target v6.12.94
• Related CVEs: CVE-2026-43284, CVE-2026-43500, CVE-2026-43503 (same page-cache corruption class)
• TrueNAS Security: https://security.truenas.com

This document will be updated when kernel fixes land in TrueNAS release branches.