What Happened
A critical local privilege escalation vulnerability nicknamed "Bad Epoll" has been disclosed in the Linux kernel's epoll subsystem. Tracked as CVE-2026-46242, the flaw allows any unprivileged local user to escalate to root on affected systems — with a publicly available proof-of-concept achieving success approximately 99% of the time without crashing the kernel.
Key Facts at a Glance
| Detail | Value |
|---|---|
| CVE | CVE-2026-46242 |
| Nickname | Bad Epoll |
| Type | Use-after-free → Local Privilege Escalation |
| Affected | Linux kernel 6.4 and newer |
| Android impact | Pixel 8+ (kernel 6.6+) |
| Patch commit | a6dc643c6931 |
| Public PoC | Yes — ~99% reliable root |
| Wild exploitation | Not observed at disclosure |
Technical Background
The Vulnerable Code
The bug stems from a race condition introduced in a 2023 modification to the epoll subsystem. Two kernel code paths can attempt to clean up the same internal epitem object simultaneously:
Path A: free(epitem) ← frees the object
Path B: write(epitem) ← continues writing to now-freed memory
↑ Use-After-FreeThis classic UAF creates memory corruption that a local attacker can exploit to gain kernel-level code execution — and therefore root access.
The Exploitation Technique
The race condition window is extremely narrow — approximately six machine instructions wide — which would normally make exploitation unreliable. Researcher Jaeyoung Chung solved this by developing a technique that artificially widens the timing window and implements intelligent retry logic, achieving root access in ~99% of test runs.
The exploit was derived from a kernelCTF submission and is publicly available, significantly raising the urgency of patching.
Why This Is Especially Concerning
Chrome Sandbox Escape
Unlike most kernel LPE bugs that require an existing local shell, CVE-2026-46242 can reportedly be triggered from within a Chrome renderer sandbox. This creates a two-stage attack chain where a browser exploitation primitive (e.g., a renderer compromise via a web vulnerability) can chain directly to full system root — no shell access required from the victim's perspective.
Android Exposure
Devices running Linux kernel 6.4 or newer are affected, which includes modern Android flagships. The Pixel 8 and newer devices (running kernel 6.6) fall into the affected range. A Pixel-specific exploit adaptation is reportedly in development. Notably, devices on the 6.1 LTS kernel branch — including older Pixels — predate the faulty 2023 commit and are not affected.
AI-Assisted Discovery
A related earlier flaw — CVE-2026-43074 — was discovered by Anthropic's Mythos AI model. Both bugs trace to the same 2023 epoll code change, suggesting the modification introduced a family of related memory safety issues that AI-assisted fuzzing and analysis was able to surface.
Affected Systems
| Platform | Kernel | Affected |
|---|---|---|
| Linux desktop/server | 6.4+ | Yes |
| Linux desktop/server | 6.1 LTS branch | No |
| Android Pixel 8+ | 6.6 | Yes |
| Android Pixel 7 and older | 6.1 | No |
| Container hosts (Docker/K8s) with host kernel 6.4+ | — | Yes (if user can exec) |
Remediation
Apply the Kernel Patch
The upstream fix is commit a6dc643c6931. Major distributions are backporting this to their supported kernel versions. Apply updates as they become available:
# Debian/Ubuntu
sudo apt update && sudo apt upgrade linux-image-$(uname -r)
# RHEL/Fedora
sudo dnf update kernel
# Arch Linux
sudo pacman -Syu linux
# Verify running kernel version after update
uname -rAndroid Devices
Monitor for a July 2026 Android security update from your device OEM. For Pixel devices, security patches are delivered via Google's monthly patch cycle and through Google Play system updates.
Interim Mitigations
While patching, consider these mitigations for high-risk multi-tenant environments:
# Restrict user namespaces (reduces attack surface, may break containers)
sysctl -w kernel.unprivileged_userns_clone=0
# Enable kernel lockdown if available
# (requires Secure Boot on some distros)
echo integrity > /sys/kernel/security/lockdownNote: These mitigations may break containerized workloads. Test in non-production environments first.
Detection
Since no in-the-wild exploitation has been observed at time of disclosure, focus on:
- Audit kernel versions across your fleet — any system on 6.4+ is in scope
- Monitor for unusual privilege escalation — unexpected root processes spawned from user sessions
- Watch for the PoC — the public exploit may be weaponized; ensure EDR/auditd coverage on epoll syscalls
# Check running kernel version
uname -r
# Check for available updates
apt list --upgradable 2>/dev/null | grep linux-image
# or
dnf check-update kernelSources
- The Hacker News — New "Bad Epoll" Linux Kernel Flaw
- NIST NVD — CVE-2026-46242
- Linux Kernel Security — patch commit a6dc643c6931