A newly disclosed Linux kernel flaw dubbed “Bad Epoll” (CVE-2026-46242) allows an unprivileged local user to escalate to root on Linux servers, desktops, and Android devices by exploiting a race condition and a use-after-free (UAF) in the kernel’s epoll subsystem.
Bad Epoll is a UAF vulnerability in ep_remove(), which clears file->f_ep under file->f_lock but continues using the file object inside the critical section during hlist_del_rcu() and spin_unlock().
A concurrent __fput() call can observe a transient NULL value, skip eventpoll_release_file(), and proceed straight to f_op->release, freeing a watched struct eventpoll that is still in use, corrupting kernel memory. Because struct file is SLAB_TYPESAFE_BY_RCU, the freed slot can also be recycled by alloc_empty_file(), letting an attacker trigger a kmem_cache_free() against the wrong slab cache.
The bug was discovered and exploited by researcher Jaeyoung Chung, who submitted it as a zero-day to Google’s kernelCTF program, which pays out $71,337 or more for working Linux kernel exploits.
Unlike most Linux privilege-escalation bugs, Bad Epoll can root Android because epoll is a core kernel component that cannot be disabled or unloaded, unlike optional modules exploited by bugs such as Copy Fail.

Bad Epoll Vulnerability Allows Root Access
It is also reachable from inside Chrome’s renderer sandbox, raising the possibility of chaining a renderer exploit with Bad Epoll for full kernel code execution. Despite a race window only about six instructions wide, Chung’s exploit widens the window and retries without crashing the kernel, achieving roughly 99% reliability on tested targets.

A single 2023 kernel commit introduced two separate race conditions into the same 2,500-line epoll code path. The first, CVE-2026-43074, was discovered by Anthropic’s AI model Mythos, demonstrating frontier AI’s growing capability to find kernel race bugs.
Bad Epoll was the second, harder-to-spot flaw that Mythos missed, likely because of its narrow timing window and the fact that it rarely triggers KASAN, the kernel’s primary memory-error detector, leaving little runtime evidence behind. The maintainers’ first patch attempt did not fully resolve the issue, and a correct fix landed nearly two months after initial disclosure.
The exploit uses four epoll objects grouped into two pairs; closing one pair triggers the race while the other becomes the victim object, turning an 8-byte UAF write into a UAF on a file object via a cross-cache attack.
From there, the attacker gains arbitrary kernel memory read access through /proc/self/fdinfo and hijacks control flow with a return-oriented programming (ROP) chain to obtain a root shell.
Because epoll cannot be disabled without breaking core OS and browser functionality, there is no workaround; administrators must apply the upstream patch or await a distribution backport.
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.






