News

New 'Bad Epoll' Linux Kernel Flaw Allows Full System Takeover

A critical Linux kernel flaw, 'Bad Epoll,' enables attackers to gain root access on affected systems, including desktops, servers, and Android devices.

The 'Bad Epoll' vulnerability (CVE-2026-46242) allows an ordinary user to escalate privileges to root on Linux systems. Discovered by Jaeyoung Chung, it affects desktops, servers, and Android. A fix is available, but the flaw highlights ongoing challenges in securing the Linux kernel.

New 'Bad Epoll' Linux Kernel Flaw Allows Full System Takeover

A newly disclosed Linux kernel vulnerability, dubbed 'Bad Epoll' (CVE-2026-46242), enables an ordinary user to gain root access on affected systems. This critical flaw impacts Linux desktops, servers, and Android devices, and a fix has been released to address the issue.

Discovery and Impact

The vulnerability was discovered by researcher Jaeyoung Chung, who developed a working exploit to demonstrate its severity. Bad Epoll is a 'use-after-free' bug in the kernel's epoll feature, which allows programs to monitor multiple files or network connections simultaneously. This feature is widely used by servers, network services, and web browsers, making it a critical component of the Linux ecosystem.

The bug occurs when two parts of the kernel attempt to clean up the same internal object concurrently. One part frees the memory while the other is still writing to it, creating a brief window where an attacker can corrupt kernel memory and escalate privileges to root. The timing window for exploitation is extremely narrow—about six machine instructions wide—making it difficult to exploit randomly. However, Chung's exploit successfully widens this window, achieving root access approximately 99% of the time on tested systems.

Key Dangers

Bad Epoll is particularly dangerous for two reasons:

  1. It can be triggered from within Chrome's renderer sandbox, which typically blocks most kernel bugs.
  2. It affects Android devices, a platform that most Linux privilege escalation bugs cannot target.

Chung submitted the flaw to Google's kernelCTF program as a zero-day vulnerability. As of now, there is no evidence that the flaw has been exploited in real-world attacks, and it is not listed on CISA's Known Exploited Vulnerabilities catalog.

Relation to Previous Bugs

Both Bad Epoll and a previously discovered bug (CVE-2026-43074) trace back to a single code change made in 2023. The earlier bug was identified by Anthropic's AI model, Mythos, but Bad Epoll was missed. Chung attributes this oversight to the bug's narrow timing window and the lack of runtime evidence, which makes it difficult for AI and human researchers alike to detect.

Mitigation and Fixes

There is no workaround for Bad Epoll, as epoll cannot be disabled. Users are advised to apply the upstream commit a6dc643c6931 or install their distribution's backported fix once available. Kernels built on version 6.4 or newer are affected unless they already include the fix. Older kernels, such as those based on version 6.1, are not impacted.

A Busy Year for Linux Kernel Flaws

Bad Epoll is the latest in a series of high-profile Linux kernel vulnerabilities, following others like Bad Binder, Bad IO_uring, and Bad Spin. Recent months have seen the disclosure of additional flaws, such as Copy Fail (CVE-2026-31431) and the Dirty Frag chain, which have been added to CISA's list of known exploited vulnerabilities.

In addition to Bad Epoll, a public proof-of-concept has emerged for CVE-2026-31694, a separate flaw in the kernel's FUSE filesystem code. This vulnerability, discovered by AI-driven research firm Bynario, allows a local user with FUSE access to corrupt kernel memory, potentially leading to root access, data leaks, or system crashes.

The Role of AI in Bug Discovery

The discovery of Bad Epoll underscores the challenges of detecting race-condition bugs, even with advanced AI tools. While Anthropic's Mythos model identified the first epoll bug, it missed Bad Epoll due to its subtle nature. This highlights the ongoing need for human expertise to complement AI-driven research in securing critical systems.