Mastodon Mastodon Mastodon Mastodon

CVE-2026-46242 Bad Epoll: Local Root via Linux epoll Race

Photo of author

CyberSecureFox Editorial Team

Published:

A vulnerability CVE-2026-46242 has been discovered in the Linux kernel’s epoll subsystem, dubbed Bad Epoll. It is a use-after-free bug that allows a local unprivileged user to escalate privileges to root. Kernels version 6.4 and newer are affected—desktops, servers and, reportedly, Android. A public proof-of-concept is available, but there are no signs of exploitation in real-world attacks. The vulnerability is not included in the CISA KEV catalog. A patch has already been released—administrators should apply it without delay.

Technical details of the vulnerability

Epoll is the standard Linux kernel mechanism for I/O multiplexing, used by web servers, network services and browsers. It cannot be disabled, which rules out workarounds.

According to researcher Jaeyoung Chung, who published a detailed technical analysis, the issue is that two cleanup paths in the kernel access the same internal object at the same time. One path frees the memory while the other is still writing data into it. This is a classic race condition that leads to kernel memory corruption and enables privilege escalation.

The key technical characteristics described by the researcher are:

  • Type of vulnerability: use-after-free in the epoll subsystem
  • Attack vector: local, does not require special privileges
  • Race window: estimated by the researcher at about six machine instructions
  • Exploit reliability: according to Chung, reaches roughly 99% on test systems thanks to techniques for widening the race window and retrying without crashing the system
  • Affected versions: Linux kernels built on 6.4 and newer without the patch applied
  • Unaffected versions: kernels based on 6.1, since the vulnerable code first appeared in 6.4

According to the researcher, the exploit can presumably be run from the Chrome renderer sandbox, which blocks most other kernel vulnerabilities. An Android exploit is reportedly under development. Both of these claims are based on the work of a single researcher and have not been independently confirmed.

Origin and connection to AI research

Both vulnerabilities—CVE-2026-46242 (Bad Epoll) and the related CVE-2026-43074—trace back to a single change in the epoll code made in 2023. According to Chung, the first of the two bugs (CVE-2026-43074) was found by Anthropic’s Mythos model, and a fix for it was released earlier in 2026. Anthropic reported discovering Linux kernel privilege-escalation vulnerabilities with its models, although the company has not publicly made a direct connection to Bad Epoll.

The second vulnerability—Bad Epoll itself—was not found by AI. Chung suggests two reasons: an extremely narrow race window, which makes it hard to model the exact sequence of events even when analyzing the code, and the lack of clear runtime signals—after the first bug was fixed, memory corruption from Bad Epoll generally no longer trips KASAN (the main kernel bug detector).

This case is illustrative: race conditions remain one of the most difficult classes of bugs to analyze, both automatically and manually.

Context: wave of Linux kernel vulnerabilities in 2026

Bad Epoll continues the series of Linux kernel privilege-escalation vulnerabilities used to gain root on Android: Bad Binder, Bad IO_uring, Bad Spin. In parallel, 2026 also saw the disclosure of other serious kernel vulnerabilities — CVE-2026-31431 (Copy Fail), as well as the exploit chains Dirty Frag, Fragnesia, DirtyClone and pedit COW. Most of these are deterministic page cache write bugs that do not require winning a race, which makes them more reliable to exploit.

It is also worth mentioning CVE-2026-31694—a vulnerability in the Linux kernel’s FUSE filesystem code, for which a public PoC is likewise available. A local user with access to FUSE can mount a malicious filesystem and cause memory corruption. This vulnerability primarily threatens servers and containerized environments where access to FUSE through user namespaces is standard practice.

Impact assessment

The highest risk is faced by:

  • Servers with multi-user access and 6.4+ kernels, where an unprivileged user can gain full control
  • Container environments, where escaping a container through a kernel vulnerability compromises the entire host
  • Android devices running 6.4+ kernels—although an Android exploit is still under development, the attack vector itself is applicable
  • Workstations, where malicious code run as a regular user can escalate privileges

The availability of a public PoC with reportedly high reliability increases the likelihood that real-world exploits will appear in the near future.

Recommendations

  1. Apply the patch. Install upstream commit a6dc643c6931 or wait for your distribution’s backport. This is the only effective measure—there are no workarounds, since epoll cannot be disabled.
  2. Check your kernel version. Kernels 6.4 and newer without the patch are vulnerable. Kernels based on 6.1 are not affected.
  3. Limit local access. Until the patch is applied, minimize the number of users with shell access on critical servers.
  4. Monitoring. Track anomalous epoll calls and privilege-escalation attempts. Keep in mind that KASAN may not catch this bug after the CVE-2026-43074 patch.
  5. Priority: high. Public PoC with high reported reliability, broad attack surface, no workarounds.

The Bad Epoll vulnerability is a local privilege escalation via a race condition in a fundamental kernel subsystem that cannot be turned off. Given the existence of a public PoC and a reported reliability of about 99%, the only effective response is to immediately update the kernel to a version that includes commit a6dc643c6931. Organizations running 6.4+ kernels on servers, in containers, or on Android devices should include this patch in their next update cycle.


CyberSecureFox Editorial Team

The CyberSecureFox Editorial Team covers cybersecurity news, vulnerabilities, malware campaigns, ransomware activity, AI security, cloud security, and vendor security advisories. Articles are prepared using official advisories, CVE/NVD data, CISA alerts, vendor publications, and public research reports. Content is reviewed before publication and updated when new information becomes available.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.