ACK/Cmnt: [SRU][R/N/J][PATCH 0/3] CVE-2026-46331
Alessio Faina
alessio.faina at canonical.com
Wed Jul 15 14:08:51 UTC 2026
On Fri, Jul 10, 2026 at 12:00:16PM +0300, Cengiz Can via kernel-team wrote:
> https://ubuntu.com/security/CVE-2026-46331
>
> [ Impact ]
>
> The net/sched pedit action computes the copy-on-write (COW) range for
> skb_ensure_writable() once before iterating over the pedit keys, using
> tcfp_off_max_hint. This hint does not account for the runtime header
> offset added by typed keys, so part of the write region can be left
> un-COW'd. Writing into a shared, un-COW'd skb region can corrupt the
> page cache, leading to data corruption and potential denial of service.
>
> [ Fix ]
>
> resolute: clean cherry-pick
> noble: backported with AI-assisted adaptation
> jammy: backported with AI-assisted adaptation
> focal: backported with AI-assisted adaptation
> bionic: backported with AI-assisted adaptation
>
> [ Test Plan ]
>
> Boot tested.
>
> [ Where Problems Could Occur ]
>
> A regression in this change to the net/sched act_pedit code path could
> break packet editing or COW handling, resulting in dropped packets or
> incorrect skb modifications for tc pedit users. Faulty offset overflow
> checks could also reject otherwise valid pedit configurations.
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
Patch for Resolute is not needed as it has been pulled in with the merge
with Upstream stable to v7.0.12
Acked-by: Alessio Faina <alessio.faina at canonical.com>
More information about the kernel-team
mailing list