[SRU][R/N/J][PATCH 0/3] CVE-2026-46331
Cengiz Can
cengiz.can at canonical.com
Fri Jul 10 09:00:16 UTC 2026
https://ubuntu.com/security/CVE-2026-46331
[ Impact ]
The net/sched pedit action computes the copy-on-write (COW) range for
skb_ensure_writable() once before iterating over the pedit keys, using
tcfp_off_max_hint. This hint does not account for the runtime header
offset added by typed keys, so part of the write region can be left
un-COW'd. Writing into a shared, un-COW'd skb region can corrupt the
page cache, leading to data corruption and potential denial of service.
[ Fix ]
resolute: clean cherry-pick
noble: backported with AI-assisted adaptation
jammy: backported with AI-assisted adaptation
focal: backported with AI-assisted adaptation
bionic: backported with AI-assisted adaptation
[ Test Plan ]
Boot tested.
[ Where Problems Could Occur ]
A regression in this change to the net/sched act_pedit code path could
break packet editing or COW handling, resulting in dropped packets or
incorrect skb modifications for tc pedit users. Faulty offset overflow
checks could also reject otherwise valid pedit configurations.
More information about the kernel-team
mailing list