PROBABLYPWNED
VulnerabilitiesJuly 4, 20264 min read

Bad Epoll: Linux Kernel Flaw Grants Root on Servers and Android

CVE-2026-46242 exploits a use-after-free race in Linux epoll, giving unprivileged users root access with 99% reliability. Servers and Android devices at risk.

Marcus Chen

A newly disclosed Linux kernel vulnerability dubbed "Bad Epoll" lets any unprivileged local user escalate to root with near-perfect reliability. The flaw, tracked as CVE-2026-46242, affects kernel versions 6.4 and later—including a broad swath of enterprise servers, desktops, and Android devices.

Security researcher Jaeyoung Chung discovered the bug, which stems from a use-after-free race condition in the kernel's epoll subsystem. Epoll is the standard Linux mechanism for monitoring thousands of file descriptors or network connections simultaneously. Every web server, database, and modern browser depends on it. You cannot simply disable epoll to mitigate this.

How Bad Epoll Works

The vulnerability exists because two kernel code paths can attempt to clean up the same internal epoll object at the same time. One path frees the memory while the other is still writing into it. That brief collision window—spanning roughly six machine instructions—lets an attacker corrupt kernel memory and pivot from a normal user account to root.

Despite the narrow timing window, exploitation is surprisingly reliable. Chung's proof-of-concept achieves approximately 99% success rate on tested systems. The kernelCTF program has verified a working exploit, with an Android variant still in development.

What makes Bad Epoll particularly concerning: it can be triggered from inside Chrome's renderer sandbox, which blocks almost every other kernel vulnerability. Browser-based exploitation means drive-by attacks could theoretically chain this with a renderer bug for full system compromise.

Affected Systems

The vulnerability traces back to a 2023 change to the epoll code. Most Linux distributions running kernels based on version 6.4 or newer remain vulnerable if they haven't backported the fix.

Notably, some older kernels are safe. Android devices running 6.1-based kernels, like the Pixel 8, are unaffected. But newer Android devices shipping with 6.4+ kernels need patches.

The fix landed in upstream commit a6dc643c6931. Major distributions are expected to roll out patches in the coming days.

Connection to AI-Discovered Vulnerabilities

Bad Epoll isn't the only recent epoll vulnerability. CVE-2026-43074, a related flaw in the same code path, was discovered by Anthropic's Mythos AI model earlier in 2026. Both bugs originated from that same 2023 commit.

The Mythos discovery highlights the growing role of AI in vulnerability research—a trend we've covered in stories like the Cursor prompt injection RCE and Mozilla's research on AI coding agent exploitation.

Once CVE-2026-43074 was patched, Bad Epoll's memory error stopped triggering KASAN, the kernel's primary bug detector. The vulnerability effectively hid itself behind the first fix, remaining latent until Chung's manual analysis uncovered it.

Why This Matters

Local privilege escalation bugs rarely make headlines on their own. But Bad Epoll's combination of factors elevates it:

  • Near-perfect reliability: 99% success rate is exceptional for a race condition
  • Massive attack surface: Every Linux server and many Android devices
  • Sandbox escape potential: Chrome's renderer can trigger it
  • No detection at runtime: KASAN doesn't catch it post-patch

For organizations running containerized workloads, this is particularly bad news. Container escapes often require kernel vulnerabilities exactly like this one. Combined with a container breakout primitive, Bad Epoll provides a clean path from compromised container to host root.

Recommended Actions

  1. Patch immediately - Apply kernel updates as soon as your distribution releases them
  2. Monitor for upstream fixes - Check for commit a6dc643c6931 in your kernel source
  3. Audit Android fleet - Identify devices running kernel 6.4+ and prioritize updates
  4. Review container security - Ensure seccomp profiles restrict epoll-related syscalls where possible

If your organization uses vulnerability management tools, flag any system running kernel 6.4 through the unpatched version range.

No Active Exploitation—Yet

As of publication, there's no evidence of in-the-wild exploitation, and CVE-2026-46242 hasn't been added to CISA's KEV catalog. But the public PoC and high reliability make weaponization likely. Threat actors have shown they can integrate kernel exploits into ransomware operations quickly, as seen with the BlueHammer vulnerability just this week.

Don't wait for active exploitation reports to patch. The window between public PoC and real-world attacks has collapsed to days in recent incidents.

Related Articles