CVE-2026-46331

In the Linux kernel, the following vulnerability has been resolved:

net/sched: fix pedit partial COW leading to page cache corruption

tcf pedit act() computes the COW range for skb ensure writable() once before the key loop using tcfp off max hint, but the hint does not account for the runtime header offset added by typed keys. This can leave part of the write region un-COW'd.

Fix by moving skb ensure writable() inside the per-key loop where the actual write offset is known, and add overflow checking on the offset arithmetic. For negative offsets (e.g. Ethernet header edits at ingress), use skb cow() to COW the headroom instead. Guard offset valid() against INT MIN, where negation is undefined.