pedit COW (CVE-2026-46331): Mitigation and Kernel Update on CloudLinux

Incident Report for CloudLinux

Monitoring

KernelCare livepatches for pedit COW have shipped and are live on the KernelCare main feed for affected CloudLinux versions. KernelCare-subscribed servers receive the fix automatically on the next kcarectl –update. Confirmed patch IDs by version:

CloudLinux 8: K20260624_18 — production feed since June 25
CloudLinux 9 (AlmaLinux 9): K20260626_30 — production feed since June 29
CloudLinux 10 (AlmaLinux 10): K20260625_20 — production feed since June 26
CloudLinux for Ubuntu 22.04 (Jammy): K20260625_01 — production feed since June 25
Posted Jul 03, 2026 - 20:03 UTC

Identified

pedit COW is a separate, new bug in a different part of the kernel, the traffic-control act_pedit action in net/sched, not the XFRM/ESP path behind Dirty Frag and Fragnesia. The module blacklist you may have applied for those does not cover this vulnerability. The mitigation below targets a different module (act_pedit).

Affected CloudLinux versions
CloudLinux 7 (CL7)-----------------No
CloudLinux 7h (CL7h)--------------Yes
CloudLinux 8 (CL8)-----------------Yes
CloudLinux 9 (CL9)-----------------Yes
CloudLinux 10 (CL10)--------------Yes
CloudLinux for Ubuntu 22.04 LTS--Yes

For more detailed information and instructions on updating and mitigation, please visit our blog post: pedit COW (CVE-2026-46331): Mitigation and Kernel Update on CloudLinux

Patched CloudLinux kernels for CL7h and CL8 are released to the beta channel and rolling out to stable. Target versions:
CL7h: kernel-4.18.0-553.137.1.lve.el7h or newer
CL8: kernel-4.18.0-553.137.1.lve.el8 or newer

Patched AlmaLinux kernels for CL9 and CL10 are available in the production (stable) repositories. Target versions:
CL9 / AlmaLinux 9: kernel-5.14.0-687.17.1.el9_8 or newer
CL10 / AlmaLinux 10: kernel-6.12.0-211.26.1.el10_2 or newer

KernelCare livepatches for CVE-2026-46331 are in active build and test.

CloudLinux for Ubuntu 22.04 runs the stock Ubuntu kernel; there is no CloudLinux-built kernel for this platform, and the production fix arrives from Canonical via apt. Track its status on the Ubuntu CVE page.

Until an updated kernel is installed or a KernelCare LivePatch update is applied, use one of the two mitigation methods described in our blog post: pedit COW (CVE-2026-46331): Mitigation and Kernel Update on CloudLinux
Posted Jun 26, 2026 - 15:53 UTC