Bad Epoll Flaw Gives Attackers Root Access on Linux and Android


Bad Epoll Flaw Gives Attackers Root Access on Linux and Android

Pierluigi Paganini
July 06, 2026

Bad Epoll (CVE-2026-46242) lets local attackers gain root on Linux and Android. The flaw was missed by AI but found by a security researcher.

A newly disclosed Linux kernel vulnerability, named Bad Epoll (CVE-2026-46242), allows a local attacker with no special privileges to gain full root access on affected Linux systems and Android devices. Security updates are already available, and users are urged to install them as soon as possible.

The flaw affects the Linux kernel’s epoll subsystem, a core feature used by servers, browsers, and countless applications to efficiently manage multiple network connections and file events. Because epoll is fundamental to Linux, there is no practical workaround other than patching vulnerable systems.

Bad Epoll is a classic use-after-free vulnerability, which occurs when a program continues to use a piece of memory after it has already been released (“freed”).

Two kernel threads attempt to release the same internal object simultaneously. One frees the memory while the other continues using it, creating a brief opportunity to corrupt kernel memory and escalate privileges to root.

Bad Epoll

“Two of epoll’s close paths run at the same time and collide. One frees an object while the other is still writing into it, and that is the use-after-free (UAF).” continues the advisory. “The race window, and how the exploit drives it. The exploit uses four epoll objects grouped into two pairs. One pair triggers the race, while the other becomes the victim. From there, the exploit turns the 8-byte UAF write into a UAF on a file object, and uses a cross-cache attack to fully control the file’s contents. Turning the bug into an arbitrary kernel memory read through /proc/self/fdinfo. With that control, the exploit gains an arbitrary read of kernel memory through /proc/self/fdinfo. Finally, it hijacks control flow and executes a ROP chain to gain a root shell.”

Although exploiting the flaw requires hitting a timing window only six CPU instructions wide, researcher Jaeyoung Chung developed a reliable proof-of-concept that reportedly succeeds in about 99% of attempts on tested systems. According to the researcher, the exploit can even be launched from Chrome’s renderer sandbox, making it particularly dangerous, and could also impact Android devices.

“Bad Epoll (CVE-2026-46242) is a race-condition use-after-free in the Linux kernel’s epoll subsystem. This bug lets an unprivileged process become root, not only on Linux desktops and servers but also on Android devices.” reads an advisory published by Chung.

One of the most interesting aspects of the vulnerability is its connection to AI-assisted vulnerability research. Bad Epoll originates from the same section of kernel code where Anthropic’s Mythos model previously identified another privilege escalation flaw, tracked as CVE-2026-43074. The AI detected the first bug, but missed this closely related vulnerability, which was later discovered manually.

“A single commit in 2023 introduced two separate race conditions into the epoll code, only about 2,500 lines in all. Both turned out to be critical bugs that can lead to privilege escalation.

The first was found by Anthropic’s Mythos and reported as CVE-2026-43074. That result is impressive on its own, because kernel race bugs are known to be hard to find. It showed a frontier AI model’s ability to find race bugs. An independent researcher later submitted a 1-day exploit for it to kernelCTF.” continunes the advisory. “The other race is Bad Epoll, which Mythos missed.”

Chung believes the miss is understandable. The race condition is extremely difficult to reason about because the vulnerable execution path exists for only a tiny fraction of a second. In addition, once the first flaw was patched, Bad Epoll no longer generated obvious warnings through KASAN, Linux’s memory error detection system, making it even harder to spot.

The good news is that there is currently no evidence that Bad Epoll has been exploited in the wild. The only public exploit is the proof-of-concept released through Google’s kernelCTF program. An Android exploit is reportedly still under development.

Bad Epoll

The flaw affects Linux kernels based on version 6.4 and later, unless they already include the upstream fix. Older long-term support kernels based on Linux 6.1, including some Android devices such as the Pixel 8, are not vulnerable because the problematic code was introduced after those versions branched.

Bad Epoll joins a growing list of high-profile Linux privilege escalation vulnerabilities recently disclosed, including Copy Fail, Dirty Frag, Fragnesia, and DirtyClone. While many of these newer vulnerabilities are deterministic and relatively easy to exploit, Bad Epoll belongs to the older class of race-condition bugs, which are significantly harder to discover, exploit, and patch.

The case also highlights both the promise and the current limitations of AI in vulnerability research. Models such as Mythos have already demonstrated they can identify complex kernel flaws and even uncover long-standing vulnerabilities in projects like FreeBSD.

At the same time, Bad Epoll shows that highly subtle race conditions can still escape even state-of-the-art AI systems. For now, human expertise remains essential, particularly when vulnerabilities depend on tiny timing windows and complex concurrent execution paths.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Bad Epoll)







Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Recent Reviews


1,000W, 10-port charger for $45... predictably disappointing.

1,000W, 10-port charger for $45… predictably disappointing. 

Adrian Kingsley-Hughes/ZDNET

Follow ZDNET: Add us as a preferred source on Google.


ZDNET’s key takeaways

  • Things that look “too good to be true” invariable are just that.
  • This example got dangerously hot in a short period of time before dying. 
  • There’s no legitimate charger that comes close to delivering on the 1,000W promise.

Being a tech reviewer for a living means that I get offered some very interesting things. Not interesting as in Bugatti supercars or jewel-encrusted Fabergé eggs, but interesting as in “this thing could easily be a fire hazard — want to take a look?”

Also: The best GaN chargers of 2026: Expert tested

Submissively, I often say yes. And I’m glad I did with the most recent pitch, because it was very interesting indeed.

Meet the “interesting” charger

This time around, the thing of interest was a charger that claimed to deliver an incredible 1,000W through its ten ports — four 140W USB-C ports, four 100W USB-C ports, and two 20W USB-A ports. 

The person who bought this charger told me that they’d plugged it in, used it to charge their phone for “a few minutes,” got worried when it became “a little hot,” and unplugged it.

That's a lot of promise... but (spoilers), they don't deliver!

That’s a lot of promise… but (spoilers), they don’t deliver!

Adrian Kingsley-Hughes/ZDNET

The unit was suspiciously light and plasticky, especially given its built-in power supply. Compare this to Ugreen’s Nexode 500W charger, which weighs a hair under 5 lb.

There was also a slight whiff of melty plastic, which made me think that this had been a bit more than a little hot. 

Also: This $4 router reboot timer is the cheap internet fix I didn’t know I needed – and it works reliably

Color me suspicious, but I had a gut feeling that the only way this charger would be able to push out 1,000W would be if it caught fire. 

Turns out I wasn’t far wrong.

How long would it last? Answer: Minutes

Talk is cheap. It was time to test the charger. 

So I plugged it in, turned it on, and started using it. Within a couple of minutes of starting to use it, I noticed a few things:

  • No matter what I tried, I couldn’t persuade the charger to deliver more than about 60W from any of the ports. 
  • As for peak output, I managed to get close to 250W.
  • The power output was very uneven and noisy, fluctuating wildly. The more ports I used, the worse it got.
  • The unit got very hot to the touch very quickly, even under light loads. 
  • But… before I could get the thermal camera out to check how hot it got, there was a pop and the unmistakable smell of “Magic Smoke.” The charger had been sent to Silicon Heaven within minutes.

Annnnd… POP! This is the moment the charger gave up the ghost.

Adrian Kingsley-Hughes/ZDNET

Diagnosis time

Time to take it apart and have a look inside. For an item that plugged into the mains power, this unit was shockingly easy to take apart. 

A thin sheet of easily removable plastic is a that separates curious hands from live AC power.

A thin sheet of easily removable plastic is a that separates curious hands from live AC power.

Adrian Kingsley-Hughes/ZDNET

And even unplugged and broken, it was capable of delivering zaps! If the case came off while this was plugged into an outlet, it could very easily be deadly.

There’s charge still in some of the capacitors, and these could deliver quite a zap despite the unit being broken and unplugged!

Adrian Kingsley-Hughes/ZDNET

After getting inside, the unit was filled with a grey goo that I’d seen in a previous disappointing charger I’d taken apart. This is a thermal paste that’s used to try to dissipate the heat generated by the components. 

It’s not really going to work because it’s sealed in a plastic box with no effective heatsink. It’s a token gesture at best. At worst, it creates a mass that’ll slowly heat up and hold temperature because it’s got no way to get rid of it.

Behold the grey goo!

Adrian Kingsley-Hughes/ZDNET

Next to this goo was a bank of capacitors — the black cylinders in the photo — which were the cause of the failure. They’d clearly overheated, with three of them showing signs of bulging.

The problem!

Adrian Kingsley-Hughes/ZDNET

Well there’s the problem!

I also noticed that two of the components — bridge rectifiers that are used to turn AC mains into DC — have been fixed on an angle to make the touch a metal heatsink. It’s not really an effective way to cool down components.

The bottom line

Another “too good to be true” device bites the dust. It’s not the first one I’ve come across, and it won’t be the last.

Moral of the story here is that manufactures are using big number marketing — in this case 1,000W and masses of ports — to scalewash poor quality products. 

This might be a half-decent product if it was built to deliver 100W, but there’s no end of competition at that end of the market. Silkscreen “1,000W” on the outside, sprinkle in a few reviews that feel scripted and fake, and all of a sudden it’s interesting and exciting… right up until it blows up. 

Also: My top 7 laptop-bag essentials now, after decades of remote work

I know of no 1,000W charger. In fact, the 500W Ugreen Nexode is the highest-power charger that I’ve tested that’s legit. And the price is also legit — $250. 

But it’s built to deliver on what it promises and is packed with safety features, including “tip-over protection,” which cuts the output when the unit tips over and prevents it from falling on its side, where it can’t dissipate heat effectively. Now that’s an attention to safety that I like to see in a product that handles that much power. 

But if you want 1,000W of output, you’ll have to buy two and duct tape them together.





Source link