惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Hacker News: Ask HN
Hacker News: Ask HN
IT之家
IT之家
S
SegmentFault 最新的问题
T
Tailwind CSS Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
博客园 - 司徒正美
J
Java Code Geeks
博客园 - 聂微东
雷峰网
雷峰网
阮一峰的网络日志
阮一峰的网络日志
The Cloudflare Blog
博客园_首页
大猫的无限游戏
大猫的无限游戏
博客园 - 三生石上(FineUI控件)
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
博客园 - 【当耐特】
腾讯CDC
Apple Machine Learning Research
Apple Machine Learning Research
酷 壳 – CoolShell
酷 壳 – CoolShell
V
V2EX
宝玉的分享
宝玉的分享
小众软件
小众软件
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Hugging Face - Blog
Hugging Face - Blog
月光博客
月光博客
NISL@THU
NISL@THU
T
The Exploit Database - CXSecurity.com
C
CXSECURITY Database RSS Feed - CXSecurity.com
WordPress大学
WordPress大学
有赞技术团队
有赞技术团队
Blog — PlanetScale
Blog — PlanetScale
aimingoo的专栏
aimingoo的专栏
L
LINUX DO - 热门话题
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
F
Fortinet All Blogs
博客园 - Franky
L
Lohrmann on Cybersecurity
S
Secure Thoughts
量子位
V
Vulnerabilities – Threatpost
Last Week in AI
Last Week in AI
博客园 - 叶小钗
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
L
LINUX DO - 最新话题
I
InfoQ
C
CERT Recently Published Vulnerability Notes
Security Archives - TechRepublic
Security Archives - TechRepublic
P
Proofpoint News Feed
G
GRAHAM CLULEY
Cisco Talos Blog
Cisco Talos Blog

Blog

MAAS installation: bare metal provisioning is easier than ever | Canonical Januscape vulnerability CVE-2026-53359 mitigations available | Canonical Managing Ubuntu on bare metal at scale | Canonical Ubuntu Server: a platform made for enterprise scale | Canonical Building an open source chain of trust: new research uncovers key blockers and ways forward | Canonical Beyond safety and security: Why automotive open source demands dependability  | Canonical DirtyClone Linux kernel local privilege escalation vulnerability fixes available | Canonical Canonical becomes Gold Sponsor of Trifecta Tech Foundation | Canonical Challenges designers face in open source (and how to fix them) | Canonical Hunting a 16-year-old SQLite bug with TLA+: is dqlite affected? | Canonical Anbox Cloud on C4A metal: Android, at scale, without friction | Canonical Canonical announces live kernel patching for Arm64 | Canonical How to use RISC-V custom instructions with Ubuntu | Canonical Ubuntu Summit 26.04: connected by open source | Canonical So you need to add microcontrollers to your fleet: now what? | Canonical Validating real-world skills through Canonical Academy | Canonical Virtualized Android comes to Anbox Cloud | Canonical Template: Streamlining open source design contributions | Canonical Beyond Mythos: responding to a new threat landscape | Canonical A look into Ubuntu Core 26: Building a local AI inference appliance in a virtual machine | Canonical This year we celebrate a decade of Ubuntu Server support on the s390x architecture: marking a long-standing collaboration between Canonical and IBM that began at LinuxCon 2015. The first release happened on April 21, 2016, bringing Ubuntu 16.04 LTS (Xenial Xerus) to IBM Z and IBM LinuxONE platforms.  A first for Ubuntu on IBM That […] AI at the edge: simplifying infrastructure with Cisco and Canonical | Canonical The next era of telco clouds: get open infrastructure choice with Sylva and Canonical Kubernetes | Canonical What is RDMA over Converged Ethernet (RoCE)? | Canonical Beyond tokens per watt – using Ubuntu 26.04 LTS for AI Beyond tokens per watt – using Ubuntu 26.04 LTS for AI | Canonical A look into Ubuntu Core 26: Deploying AI models on Renesas RZ/V series for production | Canonical RISC-V profiles – why is RVA23 significant? | Canonical AI with AMD ROCm on Ubuntu: your questions answered | Canonical When distributed workloads stall because nodes cannot exchange small messages quickly and consistently, the network is the limiting factor. How do you solve that problem? InfiniBand offers one solution. InfiniBand is an interconnect, meaning the end-to-end communication system that links compute, storage, and accelerator nodes. It is impl […] Microsoft has announced the preview of Azure Cobalt 200, its second-generation custom Arm silicon. Learn how Ubuntu and Ubuntu Pro support these new VMs from day one, offering seamless deployment, long-term security maintenance, and Kernel Livepatch without requiring engineering or platform changes […] How Canonical Support solves hard Linux performance bugs  – even in 12-year old code | Canonical Securing AI agent workflows on Ubuntu with the new NVIDIA OpenShell snap | Canonical Canonical announces optimized Ubuntu images for TPU virtual machines by Google Cloud | Canonical VMware hypervisor deployment using MAAS | Canonical Migrating from Apache Spark 3 to Spark 4 | Canonical Introducing Workshop: launch sandboxed development environments on Ubuntu with a single command | Canonical Run agentic workloads on Arm and Ubuntu | Canonical Decoding design: How design and engineering thrive together in open source | Canonical Developing web apps with local LLM inference | Canonical A local privilege escalation (LPE) security vulnerability in the Linux kernel, codename “PinTheft,” was publicly disclosed on May 19, 2026. The vulnerability was fixed in the mainline Linux kernel tree. A proof-of-concept exploit was published along with public disclosure. This has been assigned the CVE ID CVE-2026-43494; other discoverin […] Canonical has announced the general availability of Managed Kubeflow on the Microsoft Azure Marketplace. This fully managed MLOps platform allows enterprise AI teams to deploy a production-ready environment in under an hour, eliminating infrastructure maintenance. […] A look into Ubuntu Core 26: Cloud-powered edge computing with AWS IoT Greengrass and Azure IoT Edge | Canonical CVE-2026-46333 (ssh-keysign-pwn) Linux kernel vulnerability mitigations | Canonical Finding the blind spot: How Canonical hunts logic flaws with AI | Canonical A local privilege escalation (LPE) vulnerability affecting the Linux kernel has been publicly disclosed on May 13, 2026. The vulnerability does not have a CVE ID published, but is referred to as “Fragnesia.” The vulnerability affects multiple Linux distributions, including all Ubuntu releases. The affected components are the Linux kernel […] Rethinking BYOD security: protecting data without trusting devices | Canonical Two local privilege escalation (LPE) vulnerabilities affecting the Linux kernel have been publicly disclosed on May 7, 2026. The vulnerabilities have been assigned the IDs CVE-2026-43284 and CVE-2026-43500 and are referred to as “Dirty Frag.” The affected components are Linux kernel modules. The first vulnerability impacts the modules tha […] Three weeks to go: A sneak peek of the Ubuntu Summit 26.04 experience | Canonical How to use Ubuntu on Windows | Canonical A local privilege escalation (LPE) vulnerability affecting the Linux kernel has been publicly disclosed on April 29, 2026. The vulnerability has been assigned CVE ID CVE-2026-31431 and is referred to as Copy Fail. The affected component is a kernel module that provides hardware-accelerated cryptographic functions: algif_aead. The vulnerab […] Run NVIDIA Nemotron 3 Nano Omni locally in a single command | Canonical Why Web Engineering is great | Canonical Ubuntu 16.04 LTS (Xenial Xerus) reached the end of its five-year Expanded Security Maintenance (ESM) window in April 2026. If you are still running 16.04, it is critical to address your support status to ensure continued security and compliance. Your support options Now that 16.04 is in its Legacy phase, you have two primary paths: […] Understanding disaggregated GenAI model serving with llm-d | Canonical From Jammy to Resolute: how Ubuntu’s toolchains have evolved | Canonical Hybrid search and reranking: a deeper look at RAG | Canonical Canonical expands Ubuntu support to next-generation MediaTek Genio 520 and 720 platforms | Canonical In this article, Keirthana TS, a Senior Technical Author at Canonical, breaks down what leadership means to her and how she understood the power of intentional leadership through her journey at Canonical. […] Ubuntu Pro comes to Nutanix bare-metal Kubernetes | Canonical RISC-V 101 – what is it and what does it mean for Canonical? | Canonical Ubuntu Summit 26.04 is coming: Save the date and share your story! | Canonical How to manage Ubuntu fleets using on-premises Active Directory and ADSys | Canonical Simplify bare metal operations for sovereign clouds | Canonical How to Harden Ubuntu SSH: From static keys to cloud identity | Canonical The “scanner report has to be green” trap | Canonical Modern Linux identity management: from local auth to the cloud with Ubuntu | Canonical Canonical welcomes NVIDIA’s donation of the GPU DRA driver to CNCF | Canonical Hot code burns: the supply chain case for letting your containers cool before you ship | Canonical
pedit COW kernel local privilege escalation vulnerability mitigations | Canonical
Luci Stanescu · 2026-07-01 · via Blog

Mitigations are available for the Linux vulnerability with CVE ID CVE-2026-46331. The CVE ID was assigned on June 16 2026 and highlighted as a local privilege escalation (LPE) vulnerability on June 26, 2026. Known as “pedit COW”, this vulnerability affects multiple Linux distributions, including all Ubuntu releases starting with Bionic Beaver 18.04 LTS. Ubuntu Resolute Raccoon 26.04 LTS has AppArmor mitigations that block the execution path of the vulnerability.

The vulnerability was assigned a CVSS 3.1 score of 7.8, corresponding to a severity of HIGH, on June 28, 2026.

The affected component is a Linux kernel module that provides support for tc-pedit, an action used by the traffic control subsystem in Linux that allows for arbitrary packet modification.

This post describes mitigations that disable the affected modules, if they are not needed by a host. These mitigations can be applied until Linux kernel packages which implement the proposed patch are released.

Impact

Deployments without container workloads

On hosts that do not run container workloads, the vulnerability allows a local user to elevate privileges to the root user. There is a published exploit that executes in this type of deployment.

Container deployments

In container deployments that may execute arbitrary third-party workloads, the vulnerability may additionally facilitate container escape scenarios, in addition to local privilege escalation on the host. A proof-of-concept exploit has not been published yet for container escape.

Mitigation regression risk

The mitigation disables the kernel modules that are used for the pedit action in tc. Enabling the mitigation will affect functionality if the module is in use by local traffic control rules.

Affected releases

Once available, the vulnerability fix will be distributed through the Linux kernel image packages. In the interim, a mitigation which disables the affected modules can be applied according to the instructions below. The mitigation will not be necessary once the kernel is updated.

ReleasePackage NameRemediation Status
Trusty Tahr (14.04 LTS)linuxNot affected
Xenial Xerus (16.04 LTS)linuxNot affected
Bionic Beaver (18.04 LTS)linuxAffected
Focal Fossa (20.04 LTS)linuxAffected
Jammy Jellyfish (22.04 LTS)linuxAffected
Noble Numbat (24.04 LTS)linuxAffected
Questing Quokka (25.10)linuxAffected
Resolute Raccoon (26.04 LTS)linuxAppArmor mitigations

How to check if you are impacted

Run the following command to obtain the name of the Ubuntu release installed and compare to the table above:

lsb_release -a

Manual mitigation

The mitigations block the affected kernel module from loading. This requires three steps:

  1. Prevent the module from loading in the future.
  2. Unload the module.
  3. Check whether step 2 was successful; if not, reboot the system.

Step 1 – block the module:

Block the module by creating a /etc/modprobe.d/pedit-cow.conf file:

echo "install act_pedit /bin/false" | sudo tee /etc/modprobe.d/pedit-cow.conf

Regenerate the initramfs images, to prevent the module from being loaded during early boot:

sudo update-initramfs -u -k all

Step 2 – unload module:

Unload the module, in case it is already loaded:

sudo rmmod act_pedit 2>/dev/null 

Step 3 – confirm the module isn’t loaded:

Check whether the module is still loaded:

grep -qE '^act_pedit ' /proc/modules && echo "Affected module is loaded" || echo "Affected module is NOT loaded"

If the previous action indicates that the module is not loaded, no further action is required. However, unloading the module may not be possible if it is in use by existing traffic control rules. In these instances, a system reboot will enforce its blocking, but will affect traffic control rules:

sudo reboot

Disabling the mitigation

Once kernel updates are available and installed, the mitigation can be removed:

sudo rm /etc/modprobe.d/pedit-cow.conf
sudo update-initramfs -u -k all

Related posts


DirtyClone Linux kernel local privilege escalation vulnerability fixes available

Ubuntu Article

On June 25, 2026, JFrog published their research into CVE-2026-43503, referring to the vulnerability as DirtyClone. The vulnerability had previously been responsibly disclosed to the Linux kernel maintainers and the CVE record published on May 23, 2026. The vulnerability affects multiple Linux distributions, including all Ubuntu releases. ...


PinTheft Linux kernel vulnerability mitigation

Ubuntu Ubuntu tech blog

A local privilege escalation (LPE) security vulnerability in the Linux kernel, codename “PinTheft,” was publicly disclosed on May 19, 2026. The vulnerability was fixed in the mainline Linux kernel tree. A proof-of-concept exploit was published along with public disclosure. This has been assigned the CVE ID CVE-2026-43494; other discoverin ...


CVE-2026-46333 (ssh-keysign-pwn) Linux kernel vulnerability mitigations

Ubuntu Ubuntu tech blog

An information disclosure security vulnerability in the Linux kernel was publicly disclosed on May 15th, 2026. The vulnerability was reported by Qualys and fixed in the mainline Linux kernel tree. A proof-of-concept exploit was published soon after public disclosure. The ID CVE-2026-46333 was assigned, but the vulnerability is also referr ...