ACK/Cmnt: [SRU][R/N/J][PATCH 0/3] CVE-2026-46331

Alessio Faina alessio.faina at canonical.com
Wed Jul 15 14:08:51 UTC 2026


On Fri, Jul 10, 2026 at 12:00:16PM +0300, Cengiz Can via kernel-team wrote:
> https://ubuntu.com/security/CVE-2026-46331
> 
> [ Impact ]
> 
> The net/sched pedit action computes the copy-on-write (COW) range for
> skb_ensure_writable() once before iterating over the pedit keys, using
> tcfp_off_max_hint. This hint does not account for the runtime header
> offset added by typed keys, so part of the write region can be left
> un-COW'd. Writing into a shared, un-COW'd skb region can corrupt the
> page cache, leading to data corruption and potential denial of service.
> 
> [ Fix ]
> 
> resolute: clean cherry-pick
> noble: backported with AI-assisted adaptation
> jammy: backported with AI-assisted adaptation
> focal: backported with AI-assisted adaptation
> bionic: backported with AI-assisted adaptation
> 
> [ Test Plan ]
> 
> Boot tested.
> 
> [ Where Problems Could Occur ]
> 
> A regression in this change to the net/sched act_pedit code path could
> break packet editing or COW handling, resulting in dropped packets or
> incorrect skb modifications for tc pedit users. Faulty offset overflow
> checks could also reject otherwise valid pedit configurations.
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Patch for Resolute is not needed as it has been pulled in with the merge
with Upstream stable to v7.0.12

Acked-by: Alessio Faina <alessio.faina at canonical.com>



More information about the kernel-team mailing list