A newly disclosed Linux kernel vulnerability identified as Bad Epoll, tracked as CVE-2026-46242, allows an unprivileged user to escalate privileges and gain full root access on affected systems. The flaw impacts a wide range of environments including Linux desktops, servers, and Android devices, and a security patch has already been released. Researchers note that the vulnerability exists within the epoll subsystem of the Linux kernel, a core mechanism used by applications to monitor multiple file descriptors and network connections simultaneously, making it a fundamental component of modern operating systems that cannot be easily disabled.
Security researcher Jaeyoung Chung identified the vulnerability and developed a working exploit as part of Google’s kernelCTF program. The flaw is classified as a use after free issue, where two kernel execution paths attempt to free and access the same memory object simultaneously. This race condition results in memory corruption that can be exploited to execute arbitrary code with elevated privileges. The timing window required to trigger the issue is extremely narrow, spanning only a few machine instructions, making exploitation difficult under normal conditions. However, Chung demonstrated that the exploit can be engineered to repeatedly attempt execution until success, achieving a success rate of approximately 99 percent on tested systems. The researcher also noted that the exploit can be triggered from within Chrome’s renderer sandbox environment, which is designed to restrict most kernel level attacks, and it is also capable of affecting Android devices, increasing its real world impact.
The vulnerability is linked to a change introduced in 2023 within the epoll codebase, which appears to have inadvertently introduced the race condition. Chung explained that an earlier related issue tracked as CVE-2026-43074 was identified by Anthropic’s AI model Mythos, which detected a similar flaw in the same code area and contributed to a previous fix earlier in 2026. However, the newly discovered Bad Epoll issue remained undetected by the AI system, despite being closely related to the earlier vulnerability. According to analysis, one reason the flaw may have been missed is the extremely narrow timing window required to trigger the race condition, making it difficult to identify through static or runtime analysis. Additionally, once partial fixes were applied, the resulting memory errors often failed to trigger kernel sanitizers such as KASAN, reducing visibility into the underlying issue.
At present, there is no indication that Bad Epoll has been actively exploited in the wild, and it is not listed on CISA’s Known Exploited Vulnerabilities catalog. The only known working exploit remains the proof of concept developed for kernelCTF, and an Android specific version is still under development. Systems running Linux kernel version 6.4 and newer are affected unless they have already applied the upstream fix, identified as commit a6dc643c6931, or received distribution backports. Older kernels based on version 6.1, including certain Android devices such as Pixel 8, are not affected as the vulnerability was introduced in later kernel releases.
The disclosure comes amid a broader wave of Linux kernel privilege escalation vulnerabilities, including Copy Fail CVE-2026-31431 and a series of related issues such as Dirty Frag, Fragnesia, DirtyClone, and pedit COW. Unlike deterministic memory corruption bugs that require no race conditions, Bad Epoll belongs to a more complex class of race based vulnerabilities similar to historical exploits like Dirty Cow. Additional research from Bynario also revealed a separate FUSE filesystem flaw tracked as CVE-2026-31694, which could allow local users with FUSE access to corrupt memory or gain elevated privileges in containerized environments. Researchers emphasize that Bad Epoll highlights the persistent difficulty of identifying, patching, and reliably exploiting race condition vulnerabilities in modern kernel code, even with the assistance of advanced AI based analysis systems.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.