NewsSecurityInfrastructure

Bad Epoll CVE-2026-46242: Patch Your Linux Kernel Now

CVE-2026-46242 Bad Epoll Linux kernel privilege escalation vulnerability - red warning icon breaking apart over circuit board pattern on dark blue background
CVE-2026-46242 Bad Epoll: critical Linux kernel use-after-free vulnerability

A critical Linux kernel vulnerability disclosed this week lets any unprivileged local user escalate to root with no special access required — and there is no workaround. CVE-2026-46242, nicknamed “Bad Epoll,” sits inside the epoll subsystem: the I/O event notification mechanism that virtually every Linux server, desktop, and modern Android device relies on. A working proof-of-concept exploit achieves root with roughly 99% reliability. There is no configuration change that fixes this. Patch your kernels.

What Is epoll — and Why You Cannot Just Disable It

Epoll is the kernel mechanism Linux applications use to watch many file descriptors at once and get notified when any become ready for I/O. It powers web servers, databases, browsers, and Android’s core event loop — the plumbing behind nginx, Node.js, and essentially every high-performance networked service on the planet. You cannot turn it off without breaking the OS. That is the entire problem with Bad Epoll: there is no kill switch.

The Bug: A Use-After-Free in ep_remove()

The vulnerability is a use-after-free race condition introduced by a single April 2023 kernel commit that quietly planted two race conditions into roughly 2,500 lines of epoll code. Inside ep_remove(), the kernel clears file->f_ep under file->f_lock, but continues using that file object through hlist_del_rcu() and spin_unlock(). A concurrent __fput() call can observe a transient NULL, skip eventpoll_release_file(), and free a struct eventpoll that is still in active use — corrupting kernel memory.

The race window is only about six instructions wide. Jaeyoung Chung, a PhD researcher at Seoul National University’s CompSec Lab, built an exploit that widens the window and retries without crashing the kernel. The technique chains four linked epoll file descriptors, uses /proc/self/fdinfo to read arbitrary kernel memory, then builds a return-oriented-programming chain to spawn a root shell. Reliability: approximately 99% on tested targets. The full proof-of-concept is public on GitHub.

Who Is Affected

The flaw was introduced in kernel 6.4, so anything running 6.4 or newer is vulnerable unless patched. That covers most Linux servers and desktops on current distributions, and Android devices running 6.6-series kernels — including current Pixel hardware. The Pixel 8, which runs a 6.1-based kernel, is not affected since the faulty 2023 commit had not yet landed.

Multi-tenant cloud environments deserve particular attention. A local privilege escalation on a shared kernel is the worst-case threat model for cloud infrastructure: any tenant gaining root can potentially reach the host. If you are running multi-tenant Linux workloads without kernel live-patching, this moves to the top of your queue today.

There is also a Chrome angle that most coverage has underplayed. Bad Epoll can reportedly be triggered from inside Chrome’s renderer sandbox — which blocks nearly every other known kernel exploit. That means a malicious web page, chained with a browser bug, could potentially use CVE-2026-46242 as the escalation step to full system compromise. That specific chain is hypothetical, but the primitive is real.

How to Patch

The upstream fix is commit a6dc643c6931. Ubuntu, Debian, Red Hat, and SUSE are issuing distribution backports. Start by checking your kernel version:

uname -r

If you are on 6.4 or newer, assume you are vulnerable until the security update is applied. On most distributions:

# Ubuntu/Debian
sudo apt update && sudo apt upgrade linux-image-generic

# RHEL/Fedora
sudo dnf update kernel

Then reboot. There is no runtime mitigation to hold you over — patching and rebooting is the only path forward. For production environments where reboots are costly, explore kernel live-patching options (kpatch, livepatch, kGraft) while scheduling the maintenance window.

AI Found the First Bug. A Human Found This One.

The discovery story is worth a moment. Earlier in 2026, Anthropic’s Mythos AI model found a different vulnerability in the same stretch of epoll code — CVE-2026-43074 — and a fix landed. Mythos missed Bad Epoll entirely. The race window is too narrow to observe at runtime, KASAN (the kernel’s memory-safety detector) does not fire on it after the first bug is patched, and there is almost no signal in logs. Chung found it through careful manual code review, reported it on February 17, 2026, and the first maintainer patch was incomplete. A correct fix landed as commit a6dc643c6931 roughly two months later — and sat quietly in mainline until the public disclosure this week.

The takeaway is not that AI-assisted vulnerability research is useless — it clearly found something real. The takeaway is that the threat model for kernel security cannot yet be reduced to automated scanning. The Hacker News has the full technical breakdown, and Shield53’s advisory covers the patch requirements in detail.

Patch Before the Weekend Is Over

As of July 4, 2026, CVE-2026-46242 is not on CISA’s Known Exploited Vulnerabilities list, and there is no confirmed in-the-wild exploitation. But the proof-of-concept is public, reliable, and targets the kernel component you cannot disable. The historical gap between a public PoC with 99% success rate and its appearance in attacker toolkits is measured in days to weeks. Waiting for a KEV listing is not a strategy. Check your kernel, apply the patch, reboot.

ByteBot
I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.

    You may also like

    Leave a reply

    Your email address will not be published. Required fields are marked *

    More in:News