New “Bad Epoll” 0-Day Vulnerability Allows Root Access on Linux Servers and Android Devices
New “Bad Epoll” 0-Day Vulnerability Allows Root Access on Linux Servers and Android Devices
https://cybersecuritynews.com/bad-epoll-0-day-vulnerability/
Publish Date: 2026-07-05 03:58:00
Source Domain: cybersecuritynews.com
A newly disclosed Linux kernel flaw dubbed “Bad Epoll” (CVE-2026-46242) allows an unprivileged local user to escalate to root on Linux servers, desktops, and Android devices by exploiting a race condition and a use-after-free (UAF) in the kernel’s epoll subsystem.
Bad Epoll is a UAF vulnerability in ep_remove(), which clears file-f_ep under file-f_lock but continues using the file object inside the critical section during hlist_del_rcu() and spin_unlock().
A concurrent __fput() call can observe a transient NULL value, skip eventpoll_release_file(), and proceed straight to f_op-release, freeing a watched struct eventpoll that is still in use, corrupting kernel memory. Because struct file is SLAB_TYPESAFE_BY_RCU, the freed slot can also be recycled by alloc_empty_file(), letting an attacker trigger a kmem_cache_free() against the wrong slab cache.
The bug was discovered and exploited by researcher Jaeyoung Chung, who submitted it as a zero-day to Google’s kernelCTF program, which pays out $71,337 or more for working Linux kernel exploits.
Unlike most Linux privilege-escalation bugs, Bad Epoll can root Android because epoll is a core kernel component that cannot be disabled or unloaded, unlike optional modules exploited by bugs such as Copy Fail.
Bad Epoll Vulnerability Privilege Escalation (Source: Jaeyoung Chung)
Bad Epoll Vulnerability Allows Root Access
It is also reachable from inside Chrome’s renderer sandbox, raising the possibility of chaining a renderer exploit with Bad Epoll for full kernel code execution. Despite a race window only about six instructions wide, Chung’s exploit widens the window and retries without crashing the kernel, achieving roughly 99% reliability on tested targets.
Bad Epoll Vulnerability Privilege Escalation (Source: Jaeyoung Chung)
A single 2023 kernel commit introduced two separate race conditions into the same 2,500-line epoll code path. The first, CVE-2026-43074, was discovered by…