ACK: [SRU][R/N/J][PATCH 0/3] CVE-2026-46331

Manuel Diewald manuel.diewald at canonical.com
Thu Jul 16 16:31:42 UTC 2026


On Fri, Jul 10, 2026 at 12:00:16PM +0300, Cengiz Can via kernel-team wrote:
> https://ubuntu.com/security/CVE-2026-46331
> 
> [ Impact ]
> 
> The net/sched pedit action computes the copy-on-write (COW) range for
> skb_ensure_writable() once before iterating over the pedit keys, using
> tcfp_off_max_hint. This hint does not account for the runtime header
> offset added by typed keys, so part of the write region can be left
> un-COW'd. Writing into a shared, un-COW'd skb region can corrupt the
> page cache, leading to data corruption and potential denial of service.
> 
> [ Fix ]
> 
> resolute: clean cherry-pick
> noble: backported with AI-assisted adaptation
> jammy: backported with AI-assisted adaptation
> focal: backported with AI-assisted adaptation
> bionic: backported with AI-assisted adaptation
> 
> [ Test Plan ]
> 
> Boot tested.
> 
> [ Where Problems Could Occur ]
> 
> A regression in this change to the net/sched act_pedit code path could
> break packet editing or COW handling, resulting in dropped packets or
> incorrect skb modifications for tc pedit users. Faulty offset overflow
> checks could also reject otherwise valid pedit configurations.
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Acked-by: Manuel Diewald <manuel.diewald at canonical.com>

-- 
 Manuel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260716/98852721/attachment.sig>


More information about the kernel-team mailing list