Skip to content

Linux Bad Epoll CVE-2026-46242 local privilege escalation

Summary

CVE-2026-46242, publicly documented as Bad Epoll, is a Linux kernel epoll race-condition use-after-free that can let an unprivileged local process escalate to root. Public exploit material from researcher Jaeyoung Chung describes exploitation against Google kernelCTF and highlights Android reachability, Chrome renderer-sandbox chaining potential, and the absence of a practical feature-level kill switch because epoll is a core kernel facility.

The issue is distinct from but adjacent to CVE-2026-43074, another epoll race in the same 2023-introduced code path. The public Bad Epoll writeup notes that Anthropic's Mythos AI found CVE-2026-43074 but missed CVE-2026-46242, making this a useful defender reminder that AI-assisted audit coverage is not equivalent to vulnerability-family closure.

Tags

Why this matters

  • This is a post-compromise root path for Linux desktops, servers, developer workstations, CI runners, container hosts, multi-user systems, and Android-derived devices with vulnerable kernels.
  • The public writeup says Bad Epoll can be reached from inside Chrome's renderer sandbox, creating a plausible second-stage primitive after browser renderer code execution.
  • Unlike module-scoped Linux LPEs, epoll cannot simply be disabled in normal production environments; defenders should treat kernel patching and reboot validation as the primary control.
  • A public exploit repository and kernel stable patch give attackers and defenders concrete implementation detail. Systems with untrusted local code execution should be prioritized.
  • The Mythos comparison is operationally relevant for AI-era code review: one AI-discovered sibling race did not close the whole bug class.

Public vulnerability detail

  • Name: Bad Epoll.
  • CVE: CVE-2026-46242.
  • Component: Linux kernel epoll / eventpoll subsystem.
  • Bug class: race-condition use-after-free involving ep_remove / eventpoll file lifetime handling.
  • Impact: local privilege escalation to root / kernel code execution.
  • Public exploit status: public GitHub repository and kernelCTF exploitation notes are available.
  • Patch reference: Linux stable commit a6dc643c69311677c574a0f17a3f4d66a5f3744b titled eventpoll: fix ep_remove struct eventpoll / struct file UAF.
  • Related issue: CVE-2026-43074, a separate race in the same area that the Bad Epoll writeup says was found by Anthropic Mythos.

Defender heuristics

  1. Prioritize patched kernels for any host where untrusted users, containers, browser workloads, CI jobs, build scripts, EDR sensor plugins, or developer tooling can execute code.
  2. Validate the running kernel includes the distribution backport for CVE-2026-46242; package installation without reboot is not sufficient.
  3. For Android / embedded / appliance fleets, track vendor kernel drops separately from upstream Linux status; the public writeup explicitly calls out Android-rooting relevance.
  4. If patching is delayed, reduce the chance of local code execution: harden browser sandboxes, isolate high-risk browsing, constrain untrusted CI workloads, reduce shell access, and minimize shared multi-user exposure.
  5. Hunt for unusual local privilege-escalation behavior: short-lived exploit binaries, unexpected epoll stress/test programs, sudden root shells from user or browser contexts, kernel warnings/crashes near eventpoll paths, and suspicious use of public Bad Epoll PoC artifacts.
  6. Treat suspected exploitation as host-root compromise. Preserve volatile evidence, kernel/package state, process telemetry, browser/renderer crash artifacts, CI runner job provenance, and secrets available to the compromised principal.

Sources

  • Jaeyoung Chung / public Bad Epoll repository: https://github.com/J-jaeyoung/bad-epoll
  • Linux stable patch: https://git.kernel.org/stable/c/a6dc643c69311677c574a0f17a3f4d66a5f3744b
  • The Hacker News: https://thehackernews.com/2026/07/new-bad-epoll-linux-kernel-flaw-lets.html