- CVE: CVE-2026-46242
- CVSS: 7.8 (High · CVSSv3)
- Product: Linux
- Affected: 58c9b016e12855286370dfb704c08498edbc857a, f2451def095c1743adcfcb0cb5dadc86034e162a, a1f93804449d13f97dabd4b996817de4bf1ed67a, 5.15.209, 6.1.175, 6.4
- Impact: eventpoll: fix ep_remove struct eventpoll / struct file UAF
- Status: No confirmed exploitation yet
- Patched in: 2de4db145b2992da496fea6c51f9839be678ae24, 9324de74a3a59b9fde9b62ee45ebaa71458ba2e5, ef4ca02e95363e78977ca04340d44fe3b4b2b81f, ced39b6a8062bac5c18a1c3df85634107eb8664a (+8 more)
- EPSS: 0.1% (30-day)
- Action: Update to 2de4db145b2992da496fea6c51f9839be678ae24, 9324de74a3a59b9fde9b62ee45ebaa71458ba2e5, ef4ca02e95363e78977ca04340d44fe3b4b2b81f, ced39b6a8062bac5c18a1c3df85634107eb8664a (+8 more) now
TL;DR
Bad Epoll is a Linux kernel use-after-free that turns any unprivileged user into root. It is tracked as CVE-2026-46242 and also reaches Android. Researcher Jaeyoung Chung has now published the full technical write-up and working proof-of-concept exploit code.
Why It Matters
Epoll is a core Linux feature. Servers, network services, browsers, and the operating system all depend on it. Therefore, you cannot switch it off as a workaround. Only the patch removes the danger.
Three traits make Bad Epoll stand out. First, it can root Android, which most kernel flaws cannot. Second, it fires from inside Chrome’s renderer sandbox. A browser exploit could chain with the bug to reach kernel code execution. Third, the public exploit hits about 99% reliability, despite a race window only six instructions wide.
Chung reported the flaw as a 0-day to Google’s kernelCTF program. That contest pays more than $71,000 for a working Linux kernel exploit. The name follows a family of Android-rooting kernel bugs, after Bad Binder, Bad IO_uring, and Bad Spin.
How the Attack Works
Bad Epoll is a close-versus-close race in epoll’s file-release path. Two close operations run at once and collide. One frees an internal object while the other still writes to it. That collision creates the use-after-free.
From there, the public exploit escalates in stages. It chains four epoll objects into two pairs, one to drive the race and one as the victim. Next, it turns a small stray write into control over a kernel file object. It then reads kernel memory through a /proc interface to defeat address randomization. Finally, it hijacks control flow with a ROP chain and spawns a root shell.
The race window is tiny, so a single attempt almost never lands. However, the exploit widens the window and retries without crashing the kernel. That design explains its near-perfect success rate. Chung details the mechanics in a public root-cause write-up and ships the full proof-of-concept exploit code.
The Sibling Bug an AI Missed
One 2023 commit added two separate races to about 2,500 lines of epoll code. According to Chung, Anthropic’s Mythos model found the first, now tracked as CVE-2026-43074. The same model missed Bad Epoll. Its memory error rarely trips KASAN once the sibling bug is fixed, so little runtime evidence remained. The episode shows how hard race bugs stay to find, fix, and exploit.
Affected Versions
Bad Epoll affects Linux kernels based on v6.4 and newer. The flawed code arrived in April 2023, and the fix landed on April 24, 2026. Older v6.1-based kernels stay safe, since the bug did not yet exist there.
The published exploit targets two kernelCTF builds. It reaches 99% reliability on lts-6.12.67 and 98% on a Container-Optimized OS build. An Android exploit for Pixel 10 remains in progress, while Pixel 8 and other v6.1 devices are not affected.
Major distribution families that share this kernel code, including RHEL, AlmaLinux, and Rocky, may inherit the exposure. Check each vendor’s advisory for exact build status. No in-the-wild attacks have been reported so far. Still, a public proof-of-concept now exists, which sharply raises the risk for unpatched hosts.
Patch and Mitigation
There is no kill-switch, so patching is the only fix. Apply upstream commit a6dc643c6931, or your distribution’s backport once it ships. Check your vendor’s kernel security updates today.
The maintainers struggled with this one. Their first patch fell short, and a correct fix took two months. Therefore, confirm that your kernel carries the final commit, not the early attempt. Because the full details and exploit code are public, treat Bad Epoll as urgent and patch every v6.4-or-newer host quickly.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.