GitHub - sgkdev/packet_edit_meme: PACKET_EDIT_MEME.c (aka CVE-2026-46331): yet another page cache poisoning nightmare · GitHub

/" data-turbo-transient="true" />

Skip to content

Search or jump to...

Search code, repositories, users, issues, pull requests...

-->

Search

Clear

Search syntax tips

Provide feedback

--><br>We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Cancel

Submit feedback

Saved searches

Use saved searches to filter your results more quickly

-->

Name

Query

To see all available qualifiers, see our documentation.

Cancel

Create saved search

Sign in

/;ref_cta:Sign up;ref_loc:header logged out"}"<br>Sign up

Appearance settings

Resetting focus

You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

{{ message }}

sgkdev

packet_edit_meme

Public

Notifications<br>You must be signed in to change notification settings

Fork

Star<br>30

main

BranchesTags

Go to file

CodeOpen more actions menu

Folders and files<br>NameNameLast commit message<br>Last commit date<br>Latest commit

History<br>1 Commit<br>1 Commit

Makefile

Makefile

README.md

README.md

packet_edit_meme.c

packet_edit_meme.c

pedit_primitive.c

pedit_primitive.c

pedit_primitive.h

pedit_primitive.h

test_cve.c

test_cve.c

View all files

Repository files navigation

PACKET_EDIT_MEME - aka CVE-2026-46331

net/sched act_pedit partial-COW page-cache corruption (culprit 899ee91156e5,<br>present v5.18 .. fixed v7.1-rc7). packet_edit_meme.c turns it into unprivileged<br>local root: a userns CAP_NET_ADMIN child overwrites the cached ELF entry of<br>setuid-root /bin/su with setgid(0)+setuid(0)+execve("/bin/sh") shellcode.

make<br>./packet_edit_meme<br>./packet_edit_meme --ubuntu # AppArmor-gated Ubuntu: aa-exec bypass first

Targets (verified 2026-06, unprivileged user -> root)<br>root)" href="#targets-verified-2026-06-unprivileged-user---root">

Distro<br>Kernel<br>Flag<br>Result

RHEL 10.0<br>6.12.0-228.el10<br>(none)<br>ROOT

Debian 13 trixie<br>6.12.90+deb13.1<br>(none)<br>ROOT

Ubuntu 24.04.4<br>6.17.0-22<br>--ubuntu<br>ROOT

Ubuntu 26.04<br>7.0.0-14-generic<br>--ubuntu<br>FAIL

RHEL / Debian: unprivileged userns is open by default, no flag needed. RHEL ships<br>no cls_basic / em_meta, so the primitive falls back to matchall automatically.

Ubuntu AppArmor gate

Ubuntu denies unconfined unprivileged userns via two sysctls:

kernel.apparmor_restrict_unprivileged_userns # denies unconfined userns creation<br>kernel.apparmor_restrict_unprivileged_unconfined # forces unconfined change_profile to STACK,<br># so an aa-exec permissive profile cannot<br># shed the userns restriction

--ubuntu re-execs via aa-exec -p {trinity,chrome,flatpak} (profiles that carry<br>a userns, rule).

aa-exec bypass WORKS<br>26.04 : userns=1, unconfined=1 -> aa-exec bypass CLOSED">24.04.4 : userns=1, unconfined=0 -> aa-exec bypass WORKS<br>26.04 : userns=1, unconfined=1 -> aa-exec bypass CLOSED

About

PACKET_EDIT_MEME.c (aka CVE-2026-46331): yet another page cache poisoning nightmare

Resources

Readme

Uh oh!

There was an error while loading. Please reload this page.

Activity

Stars

30<br>stars

Watchers

watching

Forks

forks

Report repository

Releases

No releases published

Packages

Uh oh!

There was an error while loading. Please reload this page.

Contributors

Uh oh!

There was an error while loading. Please reload this page.

Languages

96.8%

Makefile<br>3.2%

You can’t perform that action at this time.