DEV Community

Etairos.ai
Etairos.ai

Posted on • Originally published at threat-intelligence.redeyesecurity.com

Bad Epoll (CVE-2026-46242): Unprivileged-to-Root Linux Kernel Bug Hits Servers, Desktops, and Android

TL;DR

  • what: Researcher Jaeyoung Chung disclosed Bad Epoll (CVE-2026-46242), a use-after-free race in the Linux kernel epoll subsystem that escalates an unprivileged local user to root.
  • impact: The proof-of-concept reaches root about 99% of the time, can be triggered from inside Chrome's renderer sandbox, and reaches Android, which most Linux privilege bugs cannot.
  • fix: Apply upstream commit a6dc643c6931 (or your distribution's backport when it lands); there is no workaround because epoll cannot be disabled.
  • who: Linux desktops, servers, and Android devices running kernels built on 6.4 or newer that lack the fix; 6.1-based kernels such as the Pixel 8 are not affected.

A newly disclosed Linux kernel flaw called Bad Epoll (CVE-2026-46242) lets an ordinary user with no special privileges take full control of a machine as root. It affects Linux desktops, servers, and Android. Researcher Jaeyoung Chung found the bug, built a working exploit, and submitted it as a zero-day to Google's kernelCTF program. A fix is out. There is no workaround, because the affected feature cannot be turned off.

On tested systems, Chung's exploit reaches root about 99% of the time. Two properties make it worse than the average local privilege escalation: by his account it can be triggered from inside Chrome's renderer sandbox, which blocks almost every other kernel bug, and it reaches Android, which most Linux privilege bugs cannot. An Android version of the exploit is still in progress.

How the bug works

Epoll is a standard Linux facility that lets a program watch many files or network connections at once. Servers, network services, and web browsers all lean on it heavily. You cannot simply disable it. Bad Epoll is a use-after-free: two parts of the kernel try to clean up the same internal object at the same time. One frees the memory while the other is still writing into it. That collision lets an attacker corrupt kernel memory and then climb from a normal account to root.

The catch is timing. The window where the two paths collide is only about six machine instructions wide, so a random attempt almost never lands in it. Chung's exploit widens that window and retries without crashing, which is what pushes the success rate to roughly 99%. Full technical details are in his public writeup.

⚠️ No workaround exists — Epoll cannot be turned off, so there is no configuration change or mitigation to buy time. Patching is the only defense. Apply upstream commit a6dc643c6931, or install your distribution's backport when it lands.

What is affected

The bug arrived in a single 2023 change to the epoll code. Kernels built on 6.4 or newer are affected unless they already carry the fix. Older 6.1-based kernels are not, because the vulnerable code did not yet exist. That spares some Android phones, including the Pixel 8, which ships on a 6.1 kernel.

  • Affected: Linux desktops, servers, and Android on kernel 6.4 or newer without the fix
  • Not affected: kernels based on 6.1 or older, including Pixel 8
  • Exploitable from inside the Chrome renderer sandbox, per the researcher
  • Reaches Android, unlike most Linux privilege-escalation bugs

The AI angle: found one, missed its sibling

Bad Epoll sits in the same small stretch of kernel code where Anthropic's Mythos model recently found a different bug, now tracked as CVE-2026-43074, with a fix landing earlier in 2026. The AI caught that flaw and missed this one. Finding the first was a genuine result, because race-condition bugs are notoriously hard to spot. Chung offers two likely reasons the sibling slipped through, while cautioning that no one can be certain: the timing window is so small the exact sequence is hard to picture even while staring at the code, and once the first bug is patched, Bad Epoll's memory error usually does not trip KASAN, the kernel's main bug detector, so nothing flags it.

Exploited in the wild?

There is no sign of real-world abuse as of this writing. Bad Epoll is not on CISA's Known Exploited Vulnerabilities list, and the only working code is the kernelCTF proof-of-concept. That is not a reason to wait. The PoC is public, it is highly reliable, and the two-month gap between the first, incomplete patch and a correct one shows how easy it is to leave this class of bug half-fixed.

Context: a busy stretch for Linux kernel bugs

Bad Epoll joins a well-known family used to root Android, following Bad Binder, Bad IO_uring, and Bad Spin. It lands alongside a run of other recent privilege flaws, though most work differently. Copy Fail (CVE-2026-31431) is already on CISA's KEV list, and the Dirty Frag chain, Fragnesia, DirtyClone, and pedit COW followed. Those are deterministic page-cache-write bugs with no race to win, which makes them more reliable. Bad Epoll is the older, harder kind: a race you have to win, like Dirty Cow in 2016.

Action for defenders — Inventory kernels by base version. Prioritize patching anything on 6.4 or newer, especially browser-facing desktops and multi-tenant servers where a local user reaching root is the whole game. Track your distribution's backport and your Android vendor's next security bulletin.

The takeaway for security teams: race conditions are hard at every stage. Hard to find, even for a leading AI. Hard to fix, since the first patch fell short and a correct one took about two months. And hard to exploit, through a window only six instructions wide. For now, the bug an AI walks past is still the one a person has to catch, and the person who caught this one reaches root nearly every time.


Originally published on RedEye Threat Intelligence.

Top comments (0)