Linux Bad Epoll CVE-2026-46242 local privilege escalation
Summary
CVE-2026-46242, publicly documented as Bad Epoll, is a Linux kernel epoll race-condition use-after-free that can let an unprivileged local process escalate to root. Public exploit material from researcher Jaeyoung Chung describes exploitation against Google kernelCTF and highlights Android reachability, Chrome renderer-sandbox chaining potential, and the absence of a practical feature-level kill switch because epoll is a core kernel facility.
The issue is distinct from but adjacent to CVE-2026-43074, another epoll race in the same 2023-introduced code path. The public Bad Epoll writeup notes that Anthropic's Mythos AI found CVE-2026-43074 but missed CVE-2026-46242, making this a useful defender reminder that AI-assisted audit coverage is not equivalent to vulnerability-family closure.
Tags
- ops
- operations
- vulnerability
- exploitation
- Linux
- Linux kernel
- Bad Epoll
- CVE-2026-46242
- CVE-2026-43074
- local privilege escalation
- root
- use-after-free
- race condition
- epoll
- eventpoll
- Android
- Chrome renderer sandbox
- kernelCTF
- public exploit
- AI vulnerability discovery
- Mythos
Why this matters
- This is a post-compromise root path for Linux desktops, servers, developer workstations, CI runners, container hosts, multi-user systems, and Android-derived devices with vulnerable kernels.
- The public writeup says Bad Epoll can be reached from inside Chrome's renderer sandbox, creating a plausible second-stage primitive after browser renderer code execution.
- Unlike module-scoped Linux LPEs,
epollcannot simply be disabled in normal production environments; defenders should treat kernel patching and reboot validation as the primary control. - A public exploit repository and kernel stable patch give attackers and defenders concrete implementation detail. Systems with untrusted local code execution should be prioritized.
- The Mythos comparison is operationally relevant for AI-era code review: one AI-discovered sibling race did not close the whole bug class.
Public vulnerability detail
- Name: Bad Epoll.
- CVE:
CVE-2026-46242. - Component: Linux kernel
epoll/eventpollsubsystem. - Bug class: race-condition use-after-free involving
ep_remove/ eventpoll file lifetime handling. - Impact: local privilege escalation to root / kernel code execution.
- Public exploit status: public GitHub repository and kernelCTF exploitation notes are available.
- Patch reference: Linux stable commit
a6dc643c69311677c574a0f17a3f4d66a5f3744btitledeventpoll: fix ep_remove struct eventpoll / struct file UAF. - Related issue:
CVE-2026-43074, a separate race in the same area that the Bad Epoll writeup says was found by Anthropic Mythos.
Defender heuristics
- Prioritize patched kernels for any host where untrusted users, containers, browser workloads, CI jobs, build scripts, EDR sensor plugins, or developer tooling can execute code.
- Validate the running kernel includes the distribution backport for
CVE-2026-46242; package installation without reboot is not sufficient. - For Android / embedded / appliance fleets, track vendor kernel drops separately from upstream Linux status; the public writeup explicitly calls out Android-rooting relevance.
- If patching is delayed, reduce the chance of local code execution: harden browser sandboxes, isolate high-risk browsing, constrain untrusted CI workloads, reduce shell access, and minimize shared multi-user exposure.
- Hunt for unusual local privilege-escalation behavior: short-lived exploit binaries, unexpected
epollstress/test programs, sudden root shells from user or browser contexts, kernel warnings/crashes near eventpoll paths, and suspicious use of public Bad Epoll PoC artifacts. - Treat suspected exploitation as host-root compromise. Preserve volatile evidence, kernel/package state, process telemetry, browser/renderer crash artifacts, CI runner job provenance, and secrets available to the compromised principal.
Related pages
- Linux DirtyClone CVE-2026-43503 local privilege escalation
- Linux pedit COW CVE-2026-46331 local privilege escalation
- Linux nftables CVE-2026-23111 public LPE exploits
Sources
- Jaeyoung Chung / public Bad Epoll repository: https://github.com/J-jaeyoung/bad-epoll
- Linux stable patch: https://git.kernel.org/stable/c/a6dc643c69311677c574a0f17a3f4d66a5f3744b
- The Hacker News: https://thehackernews.com/2026/07/new-bad-epoll-linux-kernel-flaw-lets.html