A new Linux kernel bug lets an ordinary, unprivileged user become root. It now hits Android too. Researchers have named it Bad Epoll. The Bad Epoll vulnerability carries the identifier CVE-2026-46242. The full technical writeup and exploit code are public. A fix is out, but the flaw sat in mainline Linux for close to three years before anyone caught it.
What the Bad Epoll vulnerability actually is
The bug is a use-after-free race condition. It sits in the kernel’s epoll subsystem, the code that lets a program watch many file descriptors at once. It traces back to a single commit from April 2023. That commit quietly introduced two separate race conditions into roughly 2,500 lines of epoll code. One of those bugs, tracked separately as CVE-2026-43074, was found and fixed earlier this year. Bad Epoll is the second, and it took longer to pin down.
Inside a function called ep_remove(), the kernel clears a pointer field on a file object. Then it keeps using that same file inside a critical section. If another thread drops the file’s reference count at the same instant, the file gets freed. So does its associated eventpoll structure. Meanwhile ep_remove() still believes it holds a valid reference. That is a textbook use-after-free, the kind of bug that has powered kernel privilege escalation exploits for years.
Why the race window is narrow, and why that barely matters
The gap where the two code paths can collide is only about six machine instructions wide. A single attempt almost never lands in it. Jaeyoung Chung built an exploit that gets around that anyway. He is a PhD student at Seoul National University’s CompSec Lab, and he researches concurrency bugs in the Linux and Android kernels. His technique chains four linked epoll file descriptors. Two pairs repeatedly trigger the race, while the others act as victims. The exploit loops the attempt until it lands, without ever crashing the kernel. The result hits root roughly 99% of the time on a vulnerable machine.
Once the race succeeds, the exploit turns an eight-byte corrupted write into control over a file object. From there it reads arbitrary kernel memory through /proc/self/fdinfo. Then it builds a return-oriented-programming chain to spawn a root shell. Chung submitted the work to Google’s kernelCTF program, which pays out for exploits that meet a working, repeatable bar. He published the technique afterwards.
A messy path to a real fix
Chung first reported the issue on 17 February 2026. Kernel maintainers pushed a patch, but it addressed only the related CVE-2026-43074 bug. That patch merged on 2 April without closing the second race. Chung re-reported the remaining flaw on 22 April. The correct fix landed two days later as upstream commit a6dc643c6931. Close to two months passed between the first report and a patch that actually worked. During that gap, a public proof-of-concept technique existed for a root-granting kernel bug.
Which systems are exposed
The flaw affects mainline Linux from version 6.4 onward, plus the backport ranges distributions maintain on older long-term-support branches. On Android, devices running 6.6-series kernels and newer are confirmed vulnerable, including current Pixel hardware. Older 6.1-based kernels, such as those on Pixel 8, predate the 2023 commit that introduced the bug. Those devices are not affected. The National Vulnerability Database rates the Bad Epoll vulnerability 7.8 on the CVSS 3.1 scale. That means a local, low-complexity attack that needs no user interaction, and grants full control over confidentiality, integrity and availability.
There is a further wrinkle for anyone running Chrome. The proof-of-concept can be triggered from inside Chrome’s sandboxed renderer process. An attacker who already has renderer code execution, through a separate browser bug, could in principle chain the Bad Epoll vulnerability with that access to break out of the sandbox entirely. Nobody has published that full chain yet. Chung’s own writeup is careful to say the Android exploitation path is still a work in progress. There is no evidence so far of the bug being used in real attacks, and it does not appear on CISA’s Known Exploited Vulnerabilities list.
What to do about it
The upstream fix is public. The practical task now falls to distributions and device vendors: pull in commit a6dc643c6931 and ship it. Anyone tracking kernel versions on servers, workstations or Android fleets should check for a vendor backport that closes the Bad Epoll vulnerability. Prioritise it the way you would any local root escalation with a public, working exploit. Cloud providers running shared or multi-tenant Linux hosts have particular reason to move quickly. A local privilege escalation on a shared kernel is exactly the scenario that turns a minor foothold into full host compromise.