Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. New 'Bad Epoll' Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android
New 'Bad Epoll' Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android
NEWS

New 'Bad Epoll' Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android

A use-after-free bug in the Linux kernel's epoll subsystem — CVE-2026-46242 — lets any local user escalate to root on Linux 6.4+ with ~99% reliability. A...

Dylan H.

News Desk

July 4, 2026
5 min read

What Happened

A critical local privilege escalation vulnerability nicknamed "Bad Epoll" has been disclosed in the Linux kernel's epoll subsystem. Tracked as CVE-2026-46242, the flaw allows any unprivileged local user to escalate to root on affected systems — with a publicly available proof-of-concept achieving success approximately 99% of the time without crashing the kernel.

Key Facts at a Glance

DetailValue
CVECVE-2026-46242
NicknameBad Epoll
TypeUse-after-free → Local Privilege Escalation
AffectedLinux kernel 6.4 and newer
Android impactPixel 8+ (kernel 6.6+)
Patch commita6dc643c6931
Public PoCYes — ~99% reliable root
Wild exploitationNot observed at disclosure

Technical Background

The Vulnerable Code

The bug stems from a race condition introduced in a 2023 modification to the epoll subsystem. Two kernel code paths can attempt to clean up the same internal epitem object simultaneously:

Path A: free(epitem)   ← frees the object
Path B: write(epitem)  ← continues writing to now-freed memory
                            ↑ Use-After-Free

This classic UAF creates memory corruption that a local attacker can exploit to gain kernel-level code execution — and therefore root access.

The Exploitation Technique

The race condition window is extremely narrow — approximately six machine instructions wide — which would normally make exploitation unreliable. Researcher Jaeyoung Chung solved this by developing a technique that artificially widens the timing window and implements intelligent retry logic, achieving root access in ~99% of test runs.

The exploit was derived from a kernelCTF submission and is publicly available, significantly raising the urgency of patching.


Why This Is Especially Concerning

Chrome Sandbox Escape

Unlike most kernel LPE bugs that require an existing local shell, CVE-2026-46242 can reportedly be triggered from within a Chrome renderer sandbox. This creates a two-stage attack chain where a browser exploitation primitive (e.g., a renderer compromise via a web vulnerability) can chain directly to full system root — no shell access required from the victim's perspective.

Android Exposure

Devices running Linux kernel 6.4 or newer are affected, which includes modern Android flagships. The Pixel 8 and newer devices (running kernel 6.6) fall into the affected range. A Pixel-specific exploit adaptation is reportedly in development. Notably, devices on the 6.1 LTS kernel branch — including older Pixels — predate the faulty 2023 commit and are not affected.

AI-Assisted Discovery

A related earlier flaw — CVE-2026-43074 — was discovered by Anthropic's Mythos AI model. Both bugs trace to the same 2023 epoll code change, suggesting the modification introduced a family of related memory safety issues that AI-assisted fuzzing and analysis was able to surface.


Affected Systems

PlatformKernelAffected
Linux desktop/server6.4+Yes
Linux desktop/server6.1 LTS branchNo
Android Pixel 8+6.6Yes
Android Pixel 7 and older6.1No
Container hosts (Docker/K8s) with host kernel 6.4+—Yes (if user can exec)

Remediation

Apply the Kernel Patch

The upstream fix is commit a6dc643c6931. Major distributions are backporting this to their supported kernel versions. Apply updates as they become available:

# Debian/Ubuntu
sudo apt update && sudo apt upgrade linux-image-$(uname -r)
 
# RHEL/Fedora
sudo dnf update kernel
 
# Arch Linux
sudo pacman -Syu linux
 
# Verify running kernel version after update
uname -r

Android Devices

Monitor for a July 2026 Android security update from your device OEM. For Pixel devices, security patches are delivered via Google's monthly patch cycle and through Google Play system updates.

Interim Mitigations

While patching, consider these mitigations for high-risk multi-tenant environments:

# Restrict user namespaces (reduces attack surface, may break containers)
sysctl -w kernel.unprivileged_userns_clone=0
 
# Enable kernel lockdown if available
# (requires Secure Boot on some distros)
echo integrity > /sys/kernel/security/lockdown

Note: These mitigations may break containerized workloads. Test in non-production environments first.


Detection

Since no in-the-wild exploitation has been observed at time of disclosure, focus on:

  1. Audit kernel versions across your fleet — any system on 6.4+ is in scope
  2. Monitor for unusual privilege escalation — unexpected root processes spawned from user sessions
  3. Watch for the PoC — the public exploit may be weaponized; ensure EDR/auditd coverage on epoll syscalls
# Check running kernel version
uname -r
 
# Check for available updates
apt list --upgradable 2>/dev/null | grep linux-image
# or
dnf check-update kernel

Sources

  • The Hacker News — New "Bad Epoll" Linux Kernel Flaw
  • NIST NVD — CVE-2026-46242
  • Linux Kernel Security — patch commit a6dc643c6931

Related Reading

  • North Korea npm Packages Target Developer Secrets
  • Android March 2026 Patches 129 Flaws Including Qualcomm Zero-Day
#CVE#Linux#Android#Privilege Escalation#Kernel#Security Updates

Related Articles

New Linux 'Dirty Frag' Zero-Day Gives Root on All Major

A new unpatched Linux zero-day exploit dubbed 'Dirty Frag' allows local attackers to gain root privileges on virtually all major Linux distributions with...

4 min read

CISA Adds Actively Exploited Linux Root Access Bug

The U.S. Cybersecurity and Infrastructure Security Agency has added CVE-2026-31431, a Linux kernel privilege escalation flaw enabling root access, to its...

4 min read

Critical Unpatched GNU Telnetd Flaw (CVE-2026-32746)

Researchers have disclosed a critical unauthenticated remote code execution vulnerability in the GNU InetUtils telnet daemon (telnetd). CVE-2026-32746...

7 min read
Back to all News