A newly identified security flaw in the Linux kernel, termed “Bad Epoll” and designated as CVE-2026-46242, poses a significant risk by enabling unprivileged local users to escalate their privileges to root level. This vulnerability affects a wide range of systems, including Linux servers, desktops, and Android devices.
The issue originates from a use-after-free (UAF) condition within the kernel’s epoll subsystem. Specifically, the vulnerability resides in the ep_remove() function, which clears the file->f_ep under file->f_lock but continues to use the file object during the critical section involving hlist_del_rcu() and spin_unlock(). If a concurrent __fput() call occurs, it can observe a transient NULL value, bypass eventpoll_release_file(), and proceed directly to f_op->release. This sequence can lead to the freeing of a still-in-use struct eventpoll, resulting in kernel memory corruption. Additionally, since struct file is managed by SLAB_TYPESAFE_BY_RCU, the freed slot can be recycled by alloc_empty_file(), allowing an attacker to trigger a kmem_cache_free() against an incorrect slab cache.
Security researcher Jaeyoung Chung discovered and exploited this vulnerability, submitting it as a zero-day to Google’s kernelCTF program, which offers rewards of $71,337 or more for functional Linux kernel exploits. Notably, unlike many Linux privilege-escalation vulnerabilities, Bad Epoll can also affect Android devices because the epoll subsystem is a core kernel component that cannot be disabled or unloaded, unlike optional modules targeted by other exploits.
Chung’s exploit demonstrates a high degree of reliability, achieving approximately 99% success on tested targets. Despite the race window being only about six instructions wide, the exploit effectively widens this window and retries without causing kernel crashes.
The origin of this vulnerability traces back to a 2023 kernel commit that inadvertently introduced two separate race conditions into the same 2,500-line epoll code path. The first, CVE-2026-43074, was identified by Anthropic’s AI model Mythos, showcasing the growing capability of advanced AI systems to detect kernel race conditions. However, Bad Epoll, the second and more elusive flaw, was not detected by Mythos, likely due to its narrow timing window and the minimal runtime evidence it leaves behind, as it rarely triggers the kernel’s primary memory-error detector, KASAN.
Initial attempts by maintainers to patch the vulnerability were incomplete, with a correct fix being implemented nearly two months after the initial disclosure. The exploit strategy involves using four epoll objects grouped into two pairs; closing one pair triggers the race condition while the other serves as the victim object. This method transforms an 8-byte UAF write into a UAF on a file object via a cross-cache attack. Subsequently, the attacker gains arbitrary kernel memory read access through /proc/self/fdinfo and hijacks control flow with a return-oriented programming (ROP) chain to obtain a root shell.
Given that the epoll subsystem is integral to core operating system and browser functionality, it cannot be disabled without causing significant disruptions. Therefore, there are no viable workarounds for this vulnerability. Administrators are strongly advised to apply the upstream patch or await a distribution-specific backport to mitigate the risk.
The discovery of the Bad Epoll vulnerability underscores the critical importance of rigorous code review and testing in kernel development. It also highlights the necessity for prompt and effective patching strategies to address such vulnerabilities, especially those that can be exploited across diverse platforms, including both Linux servers and Android devices.