Bad Epoll Flaw Gives Attackers Root Access on Linux and Android


Bad Epoll Flaw Gives Attackers Root Access on Linux and Android

Pierluigi Paganini
July 06, 2026

Bad Epoll (CVE-2026-46242) lets local attackers gain root on Linux and Android. The flaw was missed by AI but found by a security researcher.

A newly disclosed Linux kernel vulnerability, named Bad Epoll (CVE-2026-46242), allows a local attacker with no special privileges to gain full root access on affected Linux systems and Android devices. Security updates are already available, and users are urged to install them as soon as possible.

The flaw affects the Linux kernel’s epoll subsystem, a core feature used by servers, browsers, and countless applications to efficiently manage multiple network connections and file events. Because epoll is fundamental to Linux, there is no practical workaround other than patching vulnerable systems.

Bad Epoll is a classic use-after-free vulnerability, which occurs when a program continues to use a piece of memory after it has already been released (“freed”).

Two kernel threads attempt to release the same internal object simultaneously. One frees the memory while the other continues using it, creating a brief opportunity to corrupt kernel memory and escalate privileges to root.

Bad Epoll

“Two of epoll’s close paths run at the same time and collide. One frees an object while the other is still writing into it, and that is the use-after-free (UAF).” continues the advisory. “The race window, and how the exploit drives it. The exploit uses four epoll objects grouped into two pairs. One pair triggers the race, while the other becomes the victim. From there, the exploit turns the 8-byte UAF write into a UAF on a file object, and uses a cross-cache attack to fully control the file’s contents. Turning the bug into an arbitrary kernel memory read through /proc/self/fdinfo. With that control, the exploit gains an arbitrary read of kernel memory through /proc/self/fdinfo. Finally, it hijacks control flow and executes a ROP chain to gain a root shell.”

Although exploiting the flaw requires hitting a timing window only six CPU instructions wide, researcher Jaeyoung Chung developed a reliable proof-of-concept that reportedly succeeds in about 99% of attempts on tested systems. According to the researcher, the exploit can even be launched from Chrome’s renderer sandbox, making it particularly dangerous, and could also impact Android devices.

“Bad Epoll (CVE-2026-46242) is a race-condition use-after-free in the Linux kernel’s epoll subsystem. This bug lets an unprivileged process become root, not only on Linux desktops and servers but also on Android devices.” reads an advisory published by Chung.

One of the most interesting aspects of the vulnerability is its connection to AI-assisted vulnerability research. Bad Epoll originates from the same section of kernel code where Anthropic’s Mythos model previously identified another privilege escalation flaw, tracked as CVE-2026-43074. The AI detected the first bug, but missed this closely related vulnerability, which was later discovered manually.

“A single commit in 2023 introduced two separate race conditions into the epoll code, only about 2,500 lines in all. Both turned out to be critical bugs that can lead to privilege escalation.

The first was found by Anthropic’s Mythos and reported as CVE-2026-43074. That result is impressive on its own, because kernel race bugs are known to be hard to find. It showed a frontier AI model’s ability to find race bugs. An independent researcher later submitted a 1-day exploit for it to kernelCTF.” continunes the advisory. “The other race is Bad Epoll, which Mythos missed.”

Chung believes the miss is understandable. The race condition is extremely difficult to reason about because the vulnerable execution path exists for only a tiny fraction of a second. In addition, once the first flaw was patched, Bad Epoll no longer generated obvious warnings through KASAN, Linux’s memory error detection system, making it even harder to spot.

The good news is that there is currently no evidence that Bad Epoll has been exploited in the wild. The only public exploit is the proof-of-concept released through Google’s kernelCTF program. An Android exploit is reportedly still under development.

Bad Epoll

The flaw affects Linux kernels based on version 6.4 and later, unless they already include the upstream fix. Older long-term support kernels based on Linux 6.1, including some Android devices such as the Pixel 8, are not vulnerable because the problematic code was introduced after those versions branched.

Bad Epoll joins a growing list of high-profile Linux privilege escalation vulnerabilities recently disclosed, including Copy Fail, Dirty Frag, Fragnesia, and DirtyClone. While many of these newer vulnerabilities are deterministic and relatively easy to exploit, Bad Epoll belongs to the older class of race-condition bugs, which are significantly harder to discover, exploit, and patch.

The case also highlights both the promise and the current limitations of AI in vulnerability research. Models such as Mythos have already demonstrated they can identify complex kernel flaws and even uncover long-standing vulnerabilities in projects like FreeBSD.

At the same time, Bad Epoll shows that highly subtle race conditions can still escape even state-of-the-art AI systems. For now, human expertise remains essential, particularly when vulnerabilities depend on tiny timing windows and complex concurrent execution paths.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Bad Epoll)







Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Recent Reviews


I reluctantly upgraded from my Pixel 4a in late 2024, which means I spent four years clinging to a phone that still felt like a phone. Part of that was the size. The Pixel 4a was small enough to use without performing thumb yoga, a disappearing luxury now that flagships have settled into pocket-tablet territory. That’s an argument for another day.

The uglier issue is what happened after I moved on. In January 2025, Google pushed an automatic Android 13 update to Pixel 4a phones. Google’s own support page says the update reduced available battery capacity and affected charging performance on some impacted devices. Reddit users were less polite. One r/Pixel4a post said the battery suddenly had “around 40% of its former capacity” after the patch.

For poor ol’ 4a, that was basically the death knell.

When an update becomes the problem

A dying battery is normal. A four-year-old phone needing service isn’t exactly a scandal. Batteries age, screens fail, ports loosen, and gravity remains undefeated.

This felt different. The phone didn’t simply get old in someone’s pocket. Its usable life changed after a company-controlled patch, and the owner was left to deal with the result. The Verge reported that the update was tied to overheating-risk mitigation and reduced charging capacity by more than 50% on affected units. Battery safety is real. It still doesn’t erase the experience of waking up to a phone that suddenly can’t survive the day.

That’s what update death looks like. Software doesn’t just support aging hardware anymore. It can also decide when that hardware becomes miserable to keep using.

When every patch feels haunted

My wife, who’s rocking an S24 Ultra, has a different version of the same dread. She keeps running into Reddit threads about Samsung Galaxy phones and the dreaded green line, that bright vertical scar that makes a screen look like it has been reassigned to a cyberpunk prop department. One r/S23 user wrote that a green line appeared on a carefully maintained phone after about a year and a half, then said Samsung service quoted a screen replacement because the warranty was over. Another Samsung Community post claimed a green-line issue appeared after an August update, with the display allegedly working perfectly before it.

Reddit isn’t a forensic lab with avatars. A green line can come from boring hardware failure, not corporate villainy with a release calendar. Still, the anxiety is real. People don’t only worry that an update will move a button or ruin a camera setting. They worry it might be the thing that nudges a working device from “old” to “not worth repairing.”

Modern gadgets are never fully handed over. They keep phoning home. They keep asking for patches. They keep depending on decisions made long after the receipt has faded. Ownership now comes with a quiet asterisk.

The graveyard got software updates

Planned obsolescence used to sound like tinfoil-hat consumer paranoia, which was convenient for everyone selling the new thing. Then regulators started writing it down in boring official language. In 2018, Italy’s competition authority fined Samsung and Apple after finding that software and firmware updates caused serious malfunctions, reduced performance, and sped up replacement of older phones. Samsung was fined €5 million, while Apple was fined €10 million.

Apple’s battery-throttling mess made the suspicion harder to laugh off. In the US, Apple agreed to a settlement of up to $500 million over claims that it slowed older iPhones, while a separate multistate settlement required Apple to pay $113 million over alleged misrepresentations around iPhone batteries and performance throttling. Consumers weren’t hallucinating the pattern. The receipts were scattered across court filings, regulatory decisions, and phones that suddenly felt older than they had the day before.

Europe seems less willing to accept “trust us” as a product-lifetime policy. New EU rules for smartphones and tablets started applying on June 20, 2025, covering durability, repairability, battery life, and software updates. New labels put some of that lifespan math in front of shoppers before checkout.

The post-warranty graveyard used to be easy to recognize: cracked screens, swollen batteries, and charging ports full of pocket lint. Now the graveyard has paperwork, compatibility warnings, and software that slowly stops cooperating. The gadget can still turn on. It can still look fine on a desk. Then one day the company changes what “usable” means, and the thing you paid for starts practicing being trash.



Source link