Bad Epoll CVE-2026-46242: Patch Linux Kernel Root Flaw

Bad Epoll (CVE-2026-46242) is a Linux kernel epoll use-after-free that can give local users root. Patch affected kernels and verify vendor backports.

Linux administrators should treat Bad Epoll (CVE-2026-46242) as a real local-root risk on shared systems, developer workstations, CI runners, and container hosts. The flaw sits in the Linux kernel’s epoll/eventpoll code, a core interface used by servers, browsers, and ordinary applications to watch many file descriptors at once. A normal user needs local code execution first, but the public research shows how that foothold can become root on affected kernels.[1]

The bug is a race-condition use-after-free. NVD’s kernel.org-backed record describes an ep_remove() path where ep_remove_file() clears file->f_ep under a lock, keeps using the file object, and can collide with a concurrent release path that frees the watched struct eventpoll. The kernel.org CVSS 3.1 score is 7.8 High, with local attack vector, low complexity, low privileges, and high confidentiality, integrity, and availability impact.[2]

Researcher Jaeyoung Chung disclosed the issue in a public Bad Epoll write-up after submitting it to Google’s kernelCTF program. The write-up says the exploit path reached about 99% reliability on tested kernelCTF targets and that the issue is notable because epoll is not an optional module defenders can simply unload. The practical fix is a patched kernel or a distribution backport of the upstream fix, not a configuration toggle.[1]

This is not the same risk profile as a remote internet-facing RCE. Attackers still need a way to run local code first: a compromised web app, a shell account, a malicious CI job, a browser sandbox escape, an untrusted desktop app, or a container workload that gives them enough kernel reach. But that is exactly why local-root bugs keep mattering. Recent HowToFix coverage of Copy Fail, DirtyClone, and pedit COW shows the same operational pattern: a limited foothold becomes host control when kernel patching lags.

Who should patch Bad Epoll first

Prioritize machines where “local user” does not mean “trusted administrator.” That includes multi-tenant Linux servers, student or research systems, shared build hosts, Kubernetes and container nodes, browser-testing sandboxes, VDI fleets, and developer laptops that run untrusted dependencies. A single compromised package, job token, or web shell can change severity if the attacker can pair it with a reliable local privilege escalation.

Affected scope needs vendor confirmation, not guesswork from uname -r alone. Chung’s write-up says the vulnerable change was introduced in Linux 6.4-era code and that older 6.1-based Android devices such as Pixel 8 are not affected, while newer Android kernels may be reachable and Android exploit work was still in progress at disclosure time.[1] NVD also lists kernel.org patch references and affected version ranges, while Debian’s tracker shows bullseye and bookworm as not affected because the vulnerable code is not present there, even though newer branches need fixes or further tracking.[2][3]

For response, install the vendor-fixed kernel and reboot into it; do not count a package update as complete until the running kernel has changed. If a system allows untrusted local code and cannot be rebooted quickly, reduce exposure where possible: pause untrusted CI jobs, review shell access, limit risky browser or sandbox workloads, and tighten container admission until the patched kernel is live. Those are temporary containment steps, not substitutes for the kernel fix.

Incident responders should also look for the consequences of root, not only the exploit attempt. Review new setuid binaries, unexpected kernel or boot changes, new privileged users, altered sudoers files, suspicious CI artifacts, container escape indicators, and authentication events that follow a low-privilege compromise. Bad Epoll does not currently appear in CISA’s Known Exploited Vulnerabilities catalog, but the public proof-of-concept and the lack of a simple kill-switch make early patching the safer choice for exposed Linux fleets.[1][4]

References

  1. Jaeyoung Chung. “Bad Epoll: The bug missed by Mythos.” GitHub research repository. https://github.com/J-jaeyoung/bad-epoll
  2. National Vulnerability Database. “CVE-2026-46242 Detail.” https://nvd.nist.gov/vuln/detail/CVE-2026-46242
  3. Debian Security Tracker. “CVE-2026-46242.” https://security-tracker.debian.org/tracker/CVE-2026-46242
  4. The Hacker News. “New Bad Epoll Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android.” July 3, 2026. https://thehackernews.com/2026/07/new-bad-epoll-linux-kernel-flaw-lets.html

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

Leave a Comment