New ‘Bad Epoll’ Linux Kernel Flaw Grants Root Access, Affects Android

A recently disclosed vulnerability in the Linux kernel, identified as CVE-2026-46242 and dubbed ‘Bad Epoll,’ allows unprivileged users to escalate their privileges to root. This flaw impacts a wide range of systems, including Linux desktops, servers, and Android devices. A patch has been released to address this issue.

The vulnerability resides in the epoll subsystem, a core component of the Linux kernel that enables applications to monitor multiple file descriptors efficiently. Epoll is integral to the performance of servers, network services, and web browsers, making it a critical feature that cannot be easily disabled.

‘Bad Epoll’ is classified as a use-after-free bug, occurring when two kernel components simultaneously attempt to free the same memory object. This concurrent action can lead to memory corruption, providing an avenue for attackers to execute arbitrary code with elevated privileges. Exploiting this flaw requires precise timing, as the window for the race condition is extremely narrow—approximately six machine instructions. However, security researcher Jaeyoung Chung developed an exploit that reliably widens this window, achieving root access with a 99% success rate on tested systems.

Notably, this vulnerability can be triggered from within Chrome’s renderer sandbox, a security mechanism designed to isolate web content and prevent it from affecting the underlying system. Additionally, ‘Bad Epoll’ extends to Android devices, a platform typically resistant to many Linux privilege escalation exploits.

The origin of this flaw traces back to a 2023 modification in the epoll code. Interestingly, Anthropic’s AI model, Mythos, previously identified a related bug in the same code segment, now tracked as CVE-2026-43074. While Mythos successfully detected the initial flaw, it missed ‘Bad Epoll.’ Chung suggests two potential reasons for this oversight: the minuscule timing window makes the sequence of events challenging to discern, and the lack of runtime evidence means the kernel’s bug detection mechanisms, such as KASAN, often fail to flag the issue.

Given the critical role of epoll in system operations, disabling it is not a viable workaround. Users are strongly advised to apply the upstream commit a6dc643c6931 or install the relevant patches provided by their Linux distribution. Systems running kernel versions 6.4 or newer are affected unless they have incorporated the fix. Older kernels based on version 6.1, including certain Android devices like the Pixel 8, remain unaffected as the vulnerability was introduced in version 6.4.

This discovery adds to a series of recent Linux kernel vulnerabilities, including ‘Copy Fail’ (CVE-2026-31431), ‘Dirty Frag,’ ‘Fragnesia,’ ‘DirtyClone,’ and ‘pedit COW.’ The prevalence of such flaws underscores the importance of continuous vigilance and prompt patching in maintaining system security.

The emergence of ‘Bad Epoll’ highlights the persistent challenges in securing complex kernel code, especially with the increasing sophistication of exploitation techniques. It also raises questions about the current capabilities of AI-driven code analysis tools in identifying subtle, timing-dependent vulnerabilities. As attackers continue to refine their methods, the security community must advance detection and mitigation strategies to stay ahead.