{"id":14077,"date":"2026-07-04T10:03:41","date_gmt":"2026-07-04T10:03:41","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/07\/04\/new-bad-epoll-0-day-vulnerability-allows-root-access-on-linux-servers-and-android-devices\/"},"modified":"2026-07-04T10:03:41","modified_gmt":"2026-07-04T10:03:41","slug":"new-bad-epoll-0-day-vulnerability-allows-root-access-on-linux-servers-and-android-devices","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/07\/04\/new-bad-epoll-0-day-vulnerability-allows-root-access-on-linux-servers-and-android-devices\/","title":{"rendered":"New \u201cBad Epoll\u201d 0-Day Vulnerability Allows Root Access on Linux Servers and Android Devices"},"content":{"rendered":"<p>    New \u201cBad Epoll\u201d 0-Day Vulnerability Allows Root Access on Linux Servers and Android Devices<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">A newly disclosed Linux kernel flaw dubbed \u201cBad Epoll\u201d (CVE-2026-46242) allows an unprivileged local user to escalate to root on Linux servers, desktops, and Android devices by exploiting a race condition and a <a href=\"https:\/\/cybersecuritynews.com\/use-after-free-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">use-after-free (UAF)<\/a> in the kernel\u2019s epoll subsystem.<\/p>\n<p class=\"wp-block-paragraph\">Bad Epoll is a UAF vulnerability in ep_remove(), which clears file-&gt;f_ep under file-&gt;f_lock but continues using the file object inside the critical section during hlist_del_rcu() and spin_unlock().<\/p>\n<p class=\"wp-block-paragraph\">A concurrent __fput() call can observe a transient NULL value, skip eventpoll_release_file(), and proceed straight to f_op-&gt;release, freeing a watched struct eventpoll that is still in use, corrupting kernel memory. Because struct file is SLAB_TYPESAFE_BY_RCU, the freed slot can also be recycled by alloc_empty_file(), letting an attacker trigger a kmem_cache_free() against the wrong slab cache.<\/p>\n<p class=\"wp-block-paragraph\">The bug was discovered and exploited by researcher Jaeyoung Chung, who submitted it as a zero-day to Google\u2019s kernelCTF program, which pays out $71,337 or more for working Linux kernel exploits.<\/p>\n<p class=\"wp-block-paragraph\">Unlike most Linux privilege-escalation bugs, Bad Epoll can root Android because epoll is a core kernel component that cannot be disabled or unloaded, unlike optional modules exploited by bugs <a href=\"https:\/\/cybersecuritynews.com\/linux-kernel-0-day-copy-fail\/\" target=\"_blank\" rel=\"noreferrer noopener\">such as Copy Fail<\/a>.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/github.com\/J-jaeyoung\/bad-epoll\/raw\/main\/assets\/demo.gif?ssl=1\" alt=\"Bad Epoll Vulnerability Privilege Escalation\"><figcaption class=\"wp-element-caption\">Bad Epoll Vulnerability Privilege Escalation (Source: Jaeyoung Chung)<\/figcaption><\/figure>\n<h2 id=\"h-bad-epoll-vulnerability-allows-root-access\" class=\"wp-block-heading\"><strong>Bad Epoll Vulnerability Allows Root Access<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">It is also reachable from inside Chrome\u2019s renderer sandbox, raising the possibility of chaining a renderer exploit with Bad Epoll for full kernel code execution. Despite a race window only about six instructions wide, Chung\u2019s exploit widens the window and retries without crashing the kernel, achieving roughly 99% reliability on tested targets.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhFoh9AqO3x7vvWNKKEb0qX9hPDy4lI4kISsanAS0HU73xO-VkZaiGrOKmS7oPp4qzrUsy7bp5dtWcfnlaMSAv_ubvmw-3kMmOLkzrZbGBgJbQNCPw35QUhUDg6TczR0xR_enfIrGu4yoTExXdO2QHamhoz4Pboonei7lyr_A8DEcuIp8kr3H5OgLvPLvb4\/s1600\/badepoll1.webp?ssl=1\" alt=\"Bad Epoll Vulnerability Allows Root Access\"><figcaption class=\"wp-element-caption\">Bad Epoll Vulnerability Privilege Escalation (Source: Jaeyoung Chung)<\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">A single 2023 kernel commit introduced two separate race conditions into the same 2,500-line epoll code path. The first, CVE-2026-43074, was discovered by Anthropic\u2019s AI model Mythos, demonstrating frontier AI\u2019s growing capability to find kernel race bugs.<\/p>\n<p class=\"wp-block-paragraph\">Bad Epoll was the second, harder-to-spot flaw that <a href=\"https:\/\/cybersecuritynews.com\/anthropic-claude-mythos-5\/\" target=\"_blank\" rel=\"noreferrer noopener\">Mythos<\/a> missed, likely because of its narrow timing window and the fact that it rarely triggers KASAN, the kernel\u2019s primary memory-error detector, leaving little runtime evidence behind. The maintainers\u2019 first patch attempt did not fully resolve the issue, and a correct fix landed nearly two months after initial disclosure.<\/p>\n<p class=\"wp-block-paragraph\">The exploit uses four epoll objects grouped into two pairs; closing one pair triggers the race while the other becomes the victim object, turning an 8-byte UAF write into a UAF on a file object via a cross-cache attack.<\/p>\n<p class=\"wp-block-paragraph\">From there, the attacker gains arbitrary kernel memory read access through \/proc\/self\/fdinfo and hijacks control flow with a return-oriented programming (ROP) chain to obtain a root shell.<\/p>\n<p class=\"wp-block-paragraph\">Because epoll cannot be disabled without breaking core OS and browser functionality, there is no workaround; administrators must apply the upstream patch or await a distribution backport.<\/p>\n<p class=\"has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 87%,rgb(169,184,195) 100%)\"><strong>\u00a0Strengthen Your SOC by Accelerating Threat Detection &amp; Rapid Investigations.\u00a0-&gt; <a href=\"https:\/\/any.run\/enterprise\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=sandbox&amp;utm_content=enterprise&amp;utm_term=0626#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Integrate ANY.RUN With Your SOC <\/a><strong><a href=\"https:\/\/any.run\/enterprise\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=sandbox&amp;utm_content=enterprise&amp;utm_term=0626#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Now<\/a><\/strong>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/bad-epoll-0-day-vulnerability\/\">New \u201cBad Epoll\u201d 0-Day Vulnerability Allows Root Access on Linux Servers and Android Devices<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/bad-epoll-0-day-vulnerability\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>New \u201cBad Epoll\u201d 0-Day Vulnerability Allows Root Access on Linux Servers and Android Devices A newly disclosed Linux kernel flaw dubbed \u201cBad Epoll\u201d (CVE-2026-46242) allows an unprivileged local user to escalate to root on Linux servers, desktops, and Android devices by exploiting a race condition and a use-after-free (UAF) in the kernel\u2019s epoll subsystem. Bad [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,648],"tags":[130],"class_list":["post-14077","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14077"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=14077"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14077\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=14077"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=14077"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=14077"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}