Technical experts have disclosed details and a proof-of-concept exploit for a significant Linux kernel vulnerability termed ‘Bad Epoll’, which poses a risk of unauthorized root access on various platforms including desktops, servers, and Android devices.
Understanding the Bad Epoll Vulnerability
The vulnerability, identified as CVE-2026-46242 with a CVSS score of 7.8, emerges from a race-condition use-after-free error in the Linux kernel’s epoll subsystem. This subsystem is responsible for efficient I/O event notifications, managing an epoll instance that tracks both interested and ready file descriptors.
Bad Epoll arises from a close-vs-close race condition in the file-release path of epoll, leading to use-after-free scenarios. When two eventpoll file descriptor lists monitor each other and close simultaneously, one may free resources while the other continues to access them, creating a potential exploitation window.
Discovery and Implications
The vulnerability was discovered by Jaeyoung Chung of Seoul National University’s Computer Security Lab and reported to Google’s kernelCTF as a zero-day issue. Notably, Bad Epoll was introduced alongside another race condition vulnerability, CVE-2026-43074, in 2023. The latter was identified by Anthropic’s Mythos but did not trigger the Kernel Address Sanitizer (KASAN), complicating its detection.
Chung’s research highlights the complexity of addressing Bad Epoll, noting that initial attempts to patch the bug were inadequate. A successful patch was only implemented two months after the vulnerability was reported, indicating the challenge it posed to kernel maintainers.
Exploitation and Affected Systems
Chung has released a PoC exploit demonstrating how Bad Epoll can be used to leak kernel memory and manipulate the CPU’s instruction pointer to gain root privileges through a Return-Oriented Programming (ROP) chain. This vulnerability is confirmed to affect Linux distributions using kernel version 6.4 or newer, including Pixel 10 devices running kernel version 6.6.
The release of this exploit code underscores the critical need for system administrators and users to update affected systems promptly to mitigate potential security risks.
In conclusion, while the Bad Epoll vulnerability represents a serious security challenge, ongoing efforts in the cybersecurity community aim to address such vulnerabilities swiftly, emphasizing the importance of timely patches and updates to protect against exploitation.
