CVE-2026-46242 'Bad Epoll': 99% Reliable Exploit Turns Regular User into Root in Linux Kernel

Researcher from the National University of Seoul has published a functional exploit for CVE-2026-46242: any local process without privileges can gain root access in Linux kernels 6.4 to 6.12 and on Android devices.
Jaeyoung Chung, a PhD student from the CompSec Lab at the National University of Seoul, publicly released a functional exploit for CVE-2026-46242, dubbed "Bad Epoll," on Friday, July 3. Any local process without privileges can escalate to root. Kernels between versions 6.4 and 6.12.67 are affected, covering the latest generation of enterprise Linux distributions and Android devices worldwide.
What the Vulnerability Does and Why the Impact Range is Broad
CVE-2026-46242 is a use-after-free race condition in the kernel's epoll subsystem. Epoll coordinates I/O events in high performance and is present in nearly every web server, messaging broker, and Linux database, putting the vulnerable code in continuous activity across almost all modern Linux infrastructures.
The vulnerability occurs when two epoll file descriptors monitor each other and are both closed nearly simultaneously: the kernel releases the memory of one object while still writing to it from the other, corrupting internal memory. The race window is only six instructions wide. Chung chained four epoll objects to amplify the probability of success, achieving a 99% reliability on LTS 6.12.67 and 98% on COS 121-18867, the standard base image for Google Cloud Compute Engine VMs.
Bad Epoll can be triggered from within the Chrome renderer sandbox, a perimeter that blocks most known kernel bugs. Of the 130 exploits submitted to the Google kernelCTF program throughout its history, about ten are potential candidates for rooting Android devices, and CVE-2026-46242 is in this group. Google paid Chung a base bounty of $71,337 for the discovery.
Why the Patch Took Five Months to Become Public Knowledge
The vulnerability was reported on February 17, 2026. The fix commit a6dc643c6931 reached the upstream kernel on April 24, but the standard embargo of the Google kernelCTF program retained public disclosure until this week. The vulnerable code was introduced into kernel 6.4 via commit 58c9b016e128, from April 2023; kernels from the 6.1-LTS branch are not affected.
Within the same subsystem, CVE-2026-43074, an adjacent race condition in the same epoll code, had been identified through automated scanning with AI modeling before this disclosure. Bad Epoll remained undetected. According to Chung's technical analysis, after fixing the first bug, the adjacent flaw ceased to trigger the kernel's memory sanitizer, removing the runtime trace upon which automated detection tools rely. This pattern is relevant for any team using AI-based scanners for code screening: when two bugs coexist on the same execution path, fixing one may mask the other from any scanner that depends on execution evidence to signal.
Exposure in Global Infrastructure and What to Do Now
Ubuntu 24.04 LTS, with standard kernel 6.8, and Debian 13 are in the affected range. Google confirmed that COS 121 instances are already automatically receiving the patched kernel. AWS and Azure had not published individual bulletins by the time of this publication; teams maintaining fixed kernels in custom images need to verify that commit a6dc643c6931 is incorporated before expanding capacity.
In Europe, NIS2 mandates that critical infrastructure operators document vulnerabilities with potential privilege escalation and notify competent authorities within 72 hours of confirmed exploitation. No in-the-wild exploitation has been reported as of this publication, but a publicly available exploit with 99% reliability eliminates the technical barrier for opportunistic attacks.
The highest risk vector in enterprise environments is host nodes of Kubernetes clusters with unrestricted user namespaces, a configuration present by default in several managed Kubernetes distributions. In shared CI/CD pipelines, any job with compromised code via supply chain can use Bad Epoll to escalate from container isolation to the host and access secrets from other teams. Delivery centers in India, where TCS, Infosys, and Wipro operate multi-tenant Kubernetes for clients in Europe, the U.S., and Asia-Pacific, have a particularly broad attack surface. Updating the kernel requires a maintenance window, but delaying the fix in light of a high-reliability public exploit unnecessarily prolongs the risk.