Bad Epoll: Linux kernel UAF lets any user become root
Bad Epoll (CVE-2026-46242) is a use-after-free in the Linux kernel epoll that lets an unprivileged process gain root; it affects kernels v6.4+ and Android, and a patch is out.
Bad Epoll (CVE-2026-46242) is a race-condition use-after-free in the Linux kernel's epoll subsystem. It lets an unprivileged process escalate to root, not only on Linux servers and desktops but also on Android devices. Researcher Jaeyoung Chung (CompSec Lab) found and exploited it, submitting it as a 0-day to Google's kernelCTF program.
Key points
- Mechanism: when two epoll file descriptors watch each other and are closed almost simultaneously, two close paths collide — one frees an object while the other still writes to it, yielding a use-after-free that is turned into kernel control.
- Scope: unpatched Linux kernels v6.4 and newer are affected; v6.1 is not. It can be triggered from inside Chrome's renderer sandbox, and because epoll cannot be disabled there is no workaround.
- Exploit reliability: the race window is only about six instructions wide, yet a retry-loop exploit reaches 99% success on the lts-6.12.67 target.
- AI angle: the bug stems from a 2023 commit that introduced two races; the first (CVE-2026-43074) was found by Anthropic's Mythos AI, but Mythos missed Bad Epoll — a reminder that race conditions remain hard even for frontier models.
- Fix: apply mainline commit
a6dc643c6931(landed 2026-04-24) or your distribution's backport. An Android exploit (Pixel 10, kernel v6.6+) is still in progress.
Source
Jaeyoung Chung (GitHub)
#Linux kernel#CVE#use-after-free#privilege escalation#Android
This summary was written by the ORA·tech AI assistant. Read the original for full context.