TL;DR
Two Linux kernel flaws now have public proof-of-concept exploit code and full technical write-ups. Bad Epoll (CVE-2026-46242) lets an unprivileged user gain root. A second bug, CVE-2026-53362, escapes a container to host root on RHEL and CentOS 10. Both are fixed upstream.
Why It Matters
Epoll is a core Linux feature. Servers, network services, and browsers all rely on it, so you cannot switch it off. As a result, Bad Epoll exposes a huge attack surface across desktops, servers, and Android.
The threat is not merely theoretical. On July 14, a Debian administrator reported a compromised webhost on the oss-security list. The host was rooted, and it ran a kernel missing these exact fixes. So which exploit got in?
That question stays open. Responders noted the attacker likely ran several exploits, and few useful traces remained. Therefore no single flaw was confirmed as the entry point. Even so, the incident shows these bugs matter in the real world.
How the Attacks Work
Bad Epoll (CVE-2026-46242)
Bad Epoll is a use-after-free race condition. During cleanup in the kernel’s epoll teardown path, one close operation frees an object while another still writes to it. That collision corrupts kernel memory and opens a path to root.
The race window is tiny, only about six instructions wide. Therefore, a random attempt almost never lands. However, the researcher’s exploit widens that window and retries without crashing. On tested systems, it reaches root roughly 99% of the time. By his account, it can also fire from inside Chrome’s renderer sandbox and reach Android.
IPv6 Frag Escape (CVE-2026-53362)
This flaw rides a now-fixed IPv6 fragmentation bug in the kernel’s packet handling. At a high level, an overflow chains into a page use-after-free. From an unprivileged process inside a network-isolated container, it reaches an interactive root shell on the host. The published code targets CentOS and RHEL 10 only.
Exploitation Status
Public proof-of-concept exploit code exists for both flaws, and full technical details are disclosed. That much is confirmed. Yet no confirmed in-the-wild exploitation has been established. Bad Epoll does not appear on CISA’s Known Exploited Vulnerabilities list, and the researcher states there is no sign of real-world use beyond the kernelCTF proof of concept. The webhost compromise noted above remains an unattributed incident, not proof that either CVE was used.
An AI Research Footnote
Bad Epoll shares a code path with a sibling bug, CVE-2026-43074. Reporting credits Anthropic’s Mythos model with finding that first flaw earlier in 2026. The same model missed Bad Epoll, likely because the patched sibling stopped the error from tripping the kernel’s memory-error detector. The case shows race conditions stay hard to spot, even for frontier AI.
Affected Versions and Mitigation
Linux kernels built on 6.4 or newer are affected by Bad Epoll unless they already carry the fix. Older 6.1-based kernels, including the Pixel 8, are not. Epoll cannot be disabled, so no workaround exists.
Administrators should apply upstream commit a6dc643c6931, or install a distribution backport once it lands. Prioritize shared hosting, CI runners, and multi-tenant hosts where local isolation is the security boundary. The disclosure appears on the oss-security mailing list, with public write-ups for Bad Epoll and the IPv6 fragmentation escape. For CentOS and RHEL 10, apply upstream commit 38becddc and restrict unprivileged user namespaces where feasible.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.