Answer Brief
GovCERT.HK has issued a High Threat Security Alert (A26-06-45) for two elevation-of-privilege vulnerabilities in the Linux kernel—DirtyClone (CVE-2026-43503) and pedit COW (CVE-2026-46331)—with public PoC exploits available, allowing local unprivileged users to gain root access on affected systems.
Signal Timeline
A quick visual path for analysts before reading the full brief.
- 1
GovCERT.HK publishes High Threat Security Alert A26-06-45 for DirtyClone and pedit COW vulnerabilities
- 2
Public proof-of-concept exploit code confirmed available for both CVEs
- 3
Vendor patch references provided for Debian, Red Hat, SUSE, and Ubuntu
Executive Summary: GovCERT.HK has issued a High Threat Security Alert (A26-06-45) for two elevation-of-privilege vulnerabilities in the Linux kernel—DirtyClone (CVE-2026-43503) and pedit COW (CVE-2026-46331)—with public PoC exploits available, allowing local unprivileged users to gain root access on affected systems.
Why It Matters
GovCERT.HK’s High Threat Security Alert A26-06-45 highlights two critical elevation-of-privilege vulnerabilities in the Linux kernel—DirtyClone (CVE-2026-43503) and pedit COW (CVE-2026-46331)—that allow local attackers to escalate privileges to root. The alert, issued on 29 June 2026, confirms that proof-of-concept exploit code for both flaws is publicly available, significantly increasing the likelihood of exploitation in unpatched systems. This constitutes a high-severity risk due to the widespread use of Linux in servers, cloud infrastructure, containers, and embedded devices across global enterprises and government systems.
The technical scope of the vulnerabilities is broad. DirtyClone affects Linux kernel versions from 3.9 up to 7.0.10, excluding specific patched point releases in each series (e.g., 5.10.257, 6.1.174). Similarly, pedit COW impacts versions from 4.19.244 through 7.0.13, with exclusions for patched builds such as 5.15.208 and 6.6.141. These ranges cover numerous long-term support (LTS) and stable kernel branches commonly deployed in production environments, meaning a large portion of Linux-based systems may be exposed unless updated.
Technical Signal
The availability of public PoC code is a key operational concern. GovCERT.HK explicitly states that exploit code for both CVEs is accessible, which lowers the barrier for attackers and increases the urgency for defensive action. Local privilege escalation flaws like these are particularly dangerous in multi-user environments, shared hosting platforms, containerized workloads, and cloud instances where untrusted users or compromised low-privilege services could leverage the flaws to gain full system control.
Mitigation guidance from GovCERT.HK directs administrators to consult vendor-specific security trackers for Debian, Red Hat, SUSE, and Ubuntu, where patches have been or are being released. The alert provides direct links to CVE entries in Debian’s security tracker, Red Hat’s CVE database, SUSE’s security page, and Ubuntu’s security notices, along with references to NVD, MITRE, and a GitHub repository (sgkdev/packet_edit_meme) that may host related exploit or analysis code. This underscores the importance of vendor coordination in patch management, especially given the variability in patch timing across distributions.
Operational Impact
For global security, cloud, and IT operations teams, this alert serves as a valuable first-hand signal from Hong Kong’s government CERT. While the vulnerability originates in the Linux kernel—a global component—the early detection and public warning by GovCERT.HK provide actionable intelligence ahead of broader awareness. Organizations using Linux should verify their kernel versions against the affected ranges, prioritize patching through their distribution’s official channels, and monitor for signs of local exploitation attempts, particularly in environments withheld disclosures from regional CERTs that may precede global advisories.
The alert also reinforces the value of monitoring regional government CERT feeds like GovCERT.HK for early vulnerability signals. These sources often provide timely, technically detailed alerts that can supplement or precede international databases like NVD. In this case, the explicit confirmation of public PoC availability adds critical context for risk assessment, helping teams distinguish between theoretical and actively exploitable threats.
What To Watch
Finally, while the alert does not specify active exploitation in the wild, the combination of public exploit code, wide version exposure, and high-severity impact warrants immediate attention. System administrators are advised to treat this as an active threat until patches are applied, with particular focus on internet-facing Linux servers, container hosts, and development systems where local access might be more readily obtained.
Event Type: security
Importance: high
Affected Sectors
- cloud infrastructure
- enterprise IT
- government
- technology
Key Numbers
- CVE-2026-43503 (DirtyClone) affected kernel range: 3.9 through 7.0.10 (excluding patched versions)
- CVE-2026-46331 (pedit COW) affected kernel range: 4.19.244 through 7.0.13 (excluding patched versions)
- Public PoC availability: Confirmed for both vulnerabilities
- Alert reference: A26-06-45
- Publication date: 29 June 2026
- Severity classification: High Threat
Timeline
- GovCERT.HK publishes High Threat Security Alert A26-06-45 for DirtyClone and pedit COW vulnerabilities
- Public proof-of-concept exploit code confirmed available for both CVEs
- Vendor patch references provided for Debian, Red Hat, SUSE, and Ubuntu
Frequently Asked Questions
What are DirtyClone and pedit COW vulnerabilities in the Linux kernel?
DirtyClone (CVE-2026-43503) and pedit COW (CVE-2026-46331) are elevation-of-privilege flaws in the Linux kernel that allow a local unprivileged attacker to gain root access by exploiting memory handling weaknesses in clone() and copy-on-write mechanisms.
Which Linux kernel versions are affected by CVE-2026-43503 and CVE-2026-46331?
CVE-2026-43503 affects kernel versions 3.9 through 7.0.10 (excluding patched point releases). CVE-2026-46331 affects versions 4.19.244 through 7.0.13 (excluding patched versions). Specific exclusions apply per version series as detailed in the GovCERT.HK alert.
Is there public exploit code available for these Linux kernel vulnerabilities?
Yes, GovCERT.HK confirms that proof-of-concept (PoC) exploit code for both DirtyClone (CVE-2026-43503) and pedit COW (CVE-2026-46331) is publicly available, increasing the risk of active exploitation.
What should system administrators do in response to the GovCERT.HK alert on these Linux kernel flaws?
Administrators should immediately check with their Linux distribution vendors (e.g., Debian, Red Hat, SUSE, Ubuntu) to confirm patch availability and apply updates for CVE-2026-43503 and CVE-2026-46331 to mitigate privilege escalation risks.
Why is this GovCERT.HK alert significant for global IT and cloud security teams?
As a first-hand regional signal from Hong Kong’s GovCERT.HK, this alert provides early warning of high-risk, actively exploitable Linux kernel flaws with public PoCs, enabling global cloud, enterprise, and infrastructure teams to prioritize patching and validate exposure in Linux-based systems.