A newly disclosed Linux kernel vulnerability dubbed Bad Epoll (CVE-2026-46242) allows unprivileged local users to escalate privileges to root on Linux servers, desktops, and Android devices by exploiting a race condition and a use-after-free (UAF) flaw in the kernel's epoll subsystem.
Overview
Security researcher Jaeyoung Chung discovered and successfully exploited the vulnerability, later submitting it to Google's kernelCTF program. The flaw resides in the Linux kernel's epoll implementation and can be abused to achieve arbitrary kernel memory access and full privilege escalation.
Unlike many recent Linux privilege escalation vulnerabilities that rely on optional kernel modules, Bad Epoll affects a core kernel component that cannot be disabled, making mitigation significantly more challenging.

Technical Details
The vulnerability exists within the ep_remove() function, where the kernel clears file->f_ep but continues operating on the file object during critical cleanup operations.
A race condition allows a concurrent __fput() call to observe an inconsistent state and prematurely free a watched struct eventpoll object that is still in use. This results in a use-after-free (UAF) condition that can corrupt kernel memory.
Because struct file is allocated using SLAB_TYPESAFE_BY_RCU, attackers can recycle freed objects and manipulate memory allocations to trigger cross-cache exploitation techniques.
Root Access Through Kernel Memory Corruption
The exploit leverages four epoll objects arranged into two separate pairs:
- One pair triggers the race condition
- The second pair acts as the victim object
This transforms a limited 8-byte UAF write primitive into a more powerful file-object UAF vulnerability through a cross-cache attack.

Attackers can then:
- Obtain arbitrary kernel memory reads via
/proc/self/fdinfo - Leak kernel addresses
- Build a Return-Oriented Programming (ROP) chain
- Execute code in kernel context
- Spawn a root shell
Researchers report approximately 99% reliability on tested systems despite the race window being only a few instructions wide.
Impact on Android and Chrome Sandbox
Bad Epoll is particularly dangerous because:
- It affects Android devices running vulnerable kernels
- The epoll subsystem is always enabled
- The bug is reachable from Chrome's renderer sandbox
- It can potentially be chained with browser exploits to achieve full device compromise
This makes the vulnerability valuable for advanced exploitation chains targeting both Linux and Android environments.
Connection to AI-Assisted Vulnerability Research
Researchers noted that the same epoll codebase previously contained another race condition (CVE-2026-43074) discovered by Anthropic's AI model Mythos.
Bad Epoll remained undiscovered because:
- The race window is extremely narrow
- It rarely triggers KASAN memory-safety checks
- Runtime indicators are minimal
- Initial patch attempts failed to fully resolve the issue
Mitigation
There is currently no practical workaround.
Because epoll is a critical kernel subsystem required by:
- Linux applications
- Android systems
- Web browsers
- Container platforms
it cannot be disabled without breaking core functionality.
Organizations should:
- Apply kernel updates immediately once available
- Monitor vendor security advisories
- Prioritize patch deployment across Linux and Android environments
- Restrict local user access where possible until patches are deployed
Security Implications
Bad Epoll highlights a growing trend of sophisticated Linux kernel privilege escalation vulnerabilities capable of bypassing modern security boundaries. Combined with recent flaws such as DirtyFrag, Fragnesia, DirtyClone, and Copy Fail, it demonstrates how subtle memory-management bugs can quickly become reliable root exploits.