PEdit-CoW

This repository is a compact local privilege escalation proof-of-concept for CVE-2026-46331. It contains two files: a single C exploit source file and a README describing the vulnerability and impact. The main file, CVE-2026-46331.c, is a standalone Linux exploit that builds raw NETLINK_ROUTE messages to configure traffic-control state in the kernel, specifically matchall/pedit-related objects in net/sched. It uses loopback traffic on 127.0.0.1:4445 to exercise the vulnerable act_pedit path and appears to include an integrated write primitive ('pedit_primitive') with calibration support via /tmp/.pedit_calib. The exploit then locates a setuid-root su binary, parses its ELF entry point, and repeatedly writes shellcode into that entry offset through the corruption primitive. After successful corruption, it execve()s the modified su binary to obtain root code execution. This is not a scanner or detector; it is an actual exploit with a hardcoded payload, making it operational rather than a bare PoC. No external C2 or remote infrastructure is present; the exploit is entirely local and relies on vulnerable kernel behavior plus the presence of a usable setuid-root su target.

Repository contains a standalone local Linux privilege-escalation exploit for CVE-2026-46331 plus a reusable primitive and a verification harness. Structure: (1) pedit_primitive.c/.h implement the core page-cache overwrite primitive by configuring tc/netlink state on the loopback interface and abusing net/sched act_pedit to write beyond a stale COW range into page-cache-backed data sent via sendfile; setup() prepares loopback networking, opens a local TCP listener on 127.0.0.1:4445, and calibrates the file-offset delta using /tmp/.pedit_calib. api_fd_write() exposes the primitive as bounded 4-byte-slot writes to an arbitrary file descriptor, including O_RDONLY descriptors. (2) test_cve.c is a non-privilege-escalation testcase that creates /tmp/cve_target, reopens it read-only, performs 10 overwrite attempts at varying offsets/sizes, and verifies that the page cache changed despite only holding an O_RDONLY fd. (3) packet_edit_meme.c weaponizes the primitive into unprivileged local root: it locates a setuid-root su binary, parses ELF headers to find the executable entry-point file offset, forks a child that unshares user and network namespaces, maps itself to uid/gid 0 inside the namespace, calls setup(), and writes x86_64 shellcode over the cached su entry point. The parent then execves su from the initial namespace, causing the setuid-root binary to execute the injected shellcode and spawn an interactive root /bin/sh. Ubuntu-specific logic optionally re-execs through aa-exec with profiles trinity/chrome/flatpak to bypass AppArmor userns restrictions. Overall, this is a real exploit repository, not just a detector: it provides both a generic arbitrary page-cache overwrite primitive and an operational local root exploit payload.