New “Bad Epoll” 0-Day Vulnerability Allows Root Access on Linux Servers and Android Devices

New “Bad Epoll” 0-Day Vulnerability Allows Root Access on Linux Servers and Android Devices










A newly disclosed Linux kernel flaw dubbed “Bad Epoll” (CVE-2026-46242) allows an unprivileged local user to escalate to root on Linux servers, desktops, and Android devices by exploiting a race condition and a use-after-free (UAF) in the kernel’s epoll subsystem.

Bad Epoll is a UAF vulnerability in ep_remove(), which clears file->f_ep under file->f_lock but continues using the file object inside the critical section during hlist_del_rcu() and spin_unlock().

A concurrent __fput() call can observe a transient NULL value, skip eventpoll_release_file(), and proceed straight to f_op->release, freeing a watched struct eventpoll that is still in use, corrupting kernel memory. Because struct file is SLAB_TYPESAFE_BY_RCU, the freed slot can also be recycled by alloc_empty_file(), letting an attacker trigger a kmem_cache_free() against the wrong slab cache.

The bug was discovered and exploited by researcher Jaeyoung Chung, who submitted it as a zero-day to Google’s kernelCTF program, which pays out $71,337 or more for working Linux kernel exploits.

Unlike most Linux privilege-escalation bugs, Bad Epoll can root Android because epoll is a core kernel component that cannot be disabled or unloaded, unlike optional modules exploited by bugs such as Copy Fail.

Bad Epoll Vulnerability Privilege Escalation
Bad Epoll Vulnerability Privilege Escalation (Source: Jaeyoung Chung)

Bad Epoll Vulnerability Allows Root Access

It is also reachable from inside Chrome’s renderer sandbox, raising the possibility of chaining a renderer exploit with Bad Epoll for full kernel code execution. Despite a race window only about six instructions wide, Chung’s exploit widens the window and retries without crashing the kernel, achieving roughly 99% reliability on tested targets.

Bad Epoll Vulnerability Allows Root Access
Bad Epoll Vulnerability Privilege Escalation (Source: Jaeyoung Chung)

A single 2023 kernel commit introduced two separate race conditions into the same 2,500-line epoll code path. The first, CVE-2026-43074, was discovered by Anthropic’s AI model Mythos, demonstrating frontier AI’s growing capability to find kernel race bugs.

Bad Epoll was the second, harder-to-spot flaw that Mythos missed, likely because of its narrow timing window and the fact that it rarely triggers KASAN, the kernel’s primary memory-error detector, leaving little runtime evidence behind. The maintainers’ first patch attempt did not fully resolve the issue, and a correct fix landed nearly two months after initial disclosure.

The exploit uses four epoll objects grouped into two pairs; closing one pair triggers the race while the other becomes the victim object, turning an 8-byte UAF write into a UAF on a file object via a cross-cache attack.

From there, the attacker gains arbitrary kernel memory read access through /proc/self/fdinfo and hijacks control flow with a return-oriented programming (ROP) chain to obtain a root shell.

Because epoll cannot be disabled without breaking core OS and browser functionality, there is no workaround; administrators must apply the upstream patch or await a distribution backport.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.

The post New “Bad Epoll” 0-Day Vulnerability Allows Root Access on Linux Servers and Android Devices appeared first on Cyber Security News.






Guru Baran





Go to cyber-security-news





by