Lead Analysis
Security & Risk5 min

Linux Kernel 'Bad Epoll' Vulnerability Grants Root Access to Any Unprivileged User; Patch Awaiting Distributions

Monitor com terminal exibindo acesso root em sala de servidores às 3 da manhã, com racks piscando ao fundo

CVE-2026-46242, 'Bad Epoll', allows any local unprivileged account to gain root access on Linux and Android servers with kernel 6.4 or higher. The fix has been available since April; most distributions have yet to publish the backport.

CVE-2026-46242, dubbed "Bad Epoll" by researcher Jaeyoung Chung from the CompSec Lab at the National University of Seoul (supervised by Byoungyoung Lee), allows any local unprivileged account to gain root access on hosts with Linux kernel 6.4 or higher. The reliability of the exploit developed by Chung reached 99% on tested targets, despite the race condition having only six instructions wide.


How the Vulnerability Works


The affected subsystem is epoll, the mechanism that network services, browsers, and virtually all modern Linux servers use to efficiently monitor multiple file descriptors. The flaw is a use-after-free race condition: when two epoll descriptors configured to monitor each other are closed almost simultaneously, the kernel frees a memory region while another thread is still writing to it. Chung exploited this inconsistent state to achieve arbitrary read and write access in kernel space via /proc/self/fdinfo and then executed a ROP chain to escalate privileges.


The exploit can also be triggered from within Chrome's renderer in sandbox mode. In this scenario, an attacker with code execution in the renderer chains the vulnerability to escape the sandbox and gain full control of the host machine, making a compromise chain that begins with malicious JavaScript plausible.


Patch in the Mainline since April; Most Distributions without Backport


The fix entered the kernel mainline on April 24, 2026, in commit a6dc643c6931, but remained without public announcement for 70 days. The official packages for Ubuntu LTS, Debian Stable, and Red Hat Enterprise Linux have yet to provide the backport as of the publication of this article. Pixel 10 Android devices and models with kernel 6.6 or later are vulnerable and awaiting the monthly security update from Google; devices with kernel 6.1, such as the Pixel 8, are out of scope.


The complete proof of concept, with a public repository at github.com/J-jaeyoung/bad-epoll, has been validated on builds lts-6.12.67 and cos-121-18867.294.100.


The AI Auditor that Got Half of It Right


The same 2,500-line section of the epoll subsystem where the vulnerability hides had been reviewed by Anthropic's Mythos model during a security audit exercise. The AI identified an adjacent race condition, cataloged as CVE-2026-43074, a notable result given that race conditions are among the most challenging bugs to locate even for experienced auditors. The vulnerability that Chung is now disclosing went unnoticed.


This episode highlights a clear limitation of language models as security auditors: they cover a vast surface area of code in a short time but tend to miss adjacent variants of the same class of bug when the race context is not fully explicit in the review window. Anthropic had not commented on the outcome by the time of this publication.


Global Reading: Delivery Servers and Android Fleets


In the United States, major cloud infrastructure providers operate on customized Linux distributions based on 6.x series kernels. Amazon and Google have rolled out emergency internal updates for their own fleets based on security notices shared with partners. Customer-managed instances rely on action from their infrastructure teams, without a timeline imposed by the provider.


In India, where TCS, Infosys, and Wipro employ over 1.3 million staff operating on their own data center Linux server farms (primarily based on Red Hat and Ubuntu), any user with valid credentials on a vulnerable machine has a privilege escalation vector until the backport is applied. This is an internal-origin risk: perimeter network controls do not mitigate the issue.


In Brazil, Android holds over 90% of the active smartphone base. Kernels 6.6 have already reached entry-level and mid-tier corporate devices. The exposure of corporate mobile fleets depends on how quickly local manufacturers apply Google's monthly updates.


What to Do Now


Mitigation is not a configuration switch: it is the patched kernel. Infrastructure teams should identify all hosts running kernel 6.4 or higher via uname -r, check if the distribution has published the backport for commit a6dc643c6931, and prioritize shared CI/CD environments and servers accessible to third-party developers, where privilege escalation by an unprivileged user has greater operational impact. For corporate Android fleets, the July security update from Google is mandatory as soon as it becomes available from the device manufacturer.


The public PoC has been active since July 4; the unpatched window is not a theoretical exposure.

Lead Analysis
Linux Kernel 'Bad Epoll' Vulnerability Grants Root Access to Any Unprivileged User; Patch Awaiting Distributions | The New Times