A newly disclosed Linux kernel vulnerability, tracked as CVE-2026-46242 and dubbed “Bad Epoll,” allows unprivileged users to gain full root access on affected Linux systems, spanning desktops, servers, and Android devices.
The flaw resides in the epoll subsystem, a standard Linux feature that enables programs to monitor multiple file descriptors and network connections simultaneously. Web servers, database engines, and network services all rely heavily on epoll for efficient I/O handling, making the component ubiquitous across Linux deployments.
The bug that says yes when it should say no
Bad Epoll is a use-after-free vulnerability that occurs when two kernel code paths attempt to clean up the same internal object concurrently. One frees the memory while the other continues writing into it, creating a brief collision window that an attacker can exploit to corrupt kernel memory and escalate privileges from an ordinary user account to root.
The timing window during which the exploit must land spans roughly six CPU instructions, making random exploitation attempts unlikely to succeed. Researcher Jaeyoung Chung, who discovered the flaw and developed a working proof of concept, devised a method to widen this window and retry without crashing the system, achieving root privileges approximately 99 percent of the time on tested configurations.
From server rooms to your pocket
Security researchers have flagged two characteristics that elevate the severity of this vulnerability. First, the exploit can be triggered from within Chrome’s renderer sandbox, which typically blocks most kernel-level bugs. Second, unlike many Linux privilege escalation flaws, Bad Epoll can reach Android devices, significantly expanding its potential impact surface.
Chung submitted the flaw as a zero-day through Google’s kernelCTF program and published full technical details in a proof-of-concept exploit. Notably, the vulnerability sits in the same epoll code region where Anthropic’s Claude AI model recently discovered a separate critical bug, underscoring how even advanced AI-assisted code auditing missed this particular attack path.
What to patch and how fast
A kernel patch addressing CVE-2026-46242 has been released and is being rolled out across major Linux distributions. System administrators are urged to apply the update promptly. There is currently no evidence of exploitation in the wild, and the vulnerability has not been added to CISA’s Known Exploited Vulnerabilities catalog as of this writing. An Android-specific exploit remains in development.
Organizations running Linux servers, containers, or Android devices should monitor their distribution’s security advisories and prioritize kernel updates. Given the availability of a working proof of concept, exploitation attempts are considered likely once the window for patching narrows.
