A newly identified vulnerability in the Linux kernel, termed ‘Bad Epoll’ (CVE-2026-46242), poses a significant security threat by enabling unprivileged local users to escalate privileges to root access on Linux servers, desktops, and Android devices. This flaw exploits a race condition and a use-after-free (UAF) vulnerability in the kernel’s epoll subsystem, raising serious security concerns.
Understanding the Bad Epoll Vulnerability
The ‘Bad Epoll’ flaw involves a UAF vulnerability within the ep_remove() function, where file->f_ep is cleared under file->f_lock, but the file object continues to be used during the hlist_del_rcu() and spin_unlock() processes. This can lead to a situation where a concurrent __fput() call observes a temporary NULL value, bypassing the eventpoll_release_file() and directly leading to f_op->release, which can free a struct eventpoll still in use, thereby corrupting the kernel memory.
Because struct file is SLAB_TYPESAFE_BY_RCU, the freed slot can be recycled by alloc_empty_file(), allowing an attacker to initiate a kmem_cache_free() against an incorrect slab cache. The vulnerability was discovered by researcher Jaeyoung Chung, who submitted it as a zero-day to Google’s kernelCTF program, known for offering rewards for effective Linux kernel exploits.
Implications for Android and Other Systems
Unlike many Linux privilege-escalation vulnerabilities, ‘Bad Epoll’ also affects Android systems due to the integral role of the epoll component within the kernel, which cannot be disabled or removed like optional modules. This expands the potential impact of the vulnerability significantly, putting a vast number of devices at risk.
The vulnerability’s reach extends even into the Chrome renderer sandbox, which could potentially allow attackers to chain a renderer exploit with ‘Bad Epoll’ for comprehensive kernel code execution. Despite the narrow race window of approximately six instructions, Chung’s exploit manages to broaden this window and retry without causing kernel crashes, achieving high reliability on tested systems.
Efforts to Address the Vulnerability
A kernel commit from 2023 introduced two separate race conditions in the 2,500-line epoll code path. The first, identified as CVE-2026-43074, was discovered by Anthropic’s AI model Mythos, showcasing the emerging capabilities of AI in detecting kernel race bugs. However, ‘Bad Epoll’ was more elusive, likely due to its brief timing window and its tendency to avoid triggering KASAN, the kernel’s main memory-error detector.
The initial patch attempt by maintainers failed to completely resolve the issue, with a correct fix only arriving nearly two months after the initial disclosure. The exploit strategy involves using four epoll objects grouped into two pairs; closing one triggers the race condition, while the other serves as the victim object. This leads to a UAF on a file object through a cross-cache attack, enabling arbitrary kernel memory read access and hijacking control flow with a ROP chain to gain root access.
Due to the critical role of epoll in OS and browser functionality, it cannot be disabled, leaving administrators the sole option of applying the upstream patch or awaiting a distribution backport to protect their systems.
In conclusion, the ‘Bad Epoll’ vulnerability underscores the need for vigilant security practices and timely patching in maintaining the integrity of Linux and Android systems. As threats continue to evolve, staying informed and proactive is essential for safeguarding against potential exploits.
