{"id":285877,"date":"2026-07-05T03:58:00","date_gmt":"2026-07-05T07:58:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/07\/05\/new-bad-epoll-0-day-vulnerability-allows-root-access-on-linux-servers-and-android-devices\/"},"modified":"2026-07-05T04:25:07","modified_gmt":"2026-07-05T08:25:07","slug":"new-bad-epoll-0-day-vulnerability-allows-root-access-on-linux-servers-and-android-devices","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/07\/05\/new-bad-epoll-0-day-vulnerability-allows-root-access-on-linux-servers-and-android-devices\/","title":{"rendered":"New &#8220;Bad Epoll&#8221; 0-Day Vulnerability Allows Root Access on Linux Servers and Android Devices"},"content":{"rendered":"<p><a href=\"https:\/\/cybersecuritynews.com\/bad-epoll-0-day-vulnerability\/\">New &#8220;Bad Epoll&#8221; 0-Day Vulnerability Allows Root Access on Linux Servers and Android Devices<\/a><\/p>\n<p><a href=\"https:\/\/cybersecuritynews.com\/bad-epoll-0-day-vulnerability\/\">https:\/\/cybersecuritynews.com\/bad-epoll-0-day-vulnerability\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-07-05 03:58:00<\/a><\/p>\n<p>Source Domain: <a href=\"cybersecuritynews.com\">cybersecuritynews.com<\/a><\/p>\n<p class=\"wp-block-paragraph\">A newly disclosed Linux kernel flaw dubbed \u201cBad Epoll\u201d (CVE-2026-46242) allows an unprivileged local user to escalate to root on Linux servers, desktops, and Android devices by exploiting a race condition and a use-after-free (UAF) in the kernel\u2019s epoll subsystem.<\/p>\n<p class=\"wp-block-paragraph\">Bad Epoll is a UAF vulnerability in ep_remove(), which clears file-f_ep under file-f_lock but continues using the file object inside the critical section during hlist_del_rcu() and spin_unlock().<\/p>\n<p class=\"wp-block-paragraph\">A concurrent __fput() call can observe a transient NULL value, skip eventpoll_release_file(), and proceed straight to f_op-release, freeing a watched struct eventpoll that is still in use, corrupting kernel memory. Because struct file is SLAB_TYPESAFE_BY_RCU, the freed slot can also be recycled by alloc_empty_file(), letting an attacker trigger a kmem_cache_free() against the wrong slab cache.<\/p>\n<p class=\"wp-block-paragraph\">The bug was discovered and exploited by researcher Jaeyoung Chung, who submitted it as a zero-day to Google\u2019s kernelCTF program, which pays out $71,337 or more for working Linux kernel exploits.<\/p>\n<p class=\"wp-block-paragraph\">Unlike most Linux privilege-escalation bugs, Bad Epoll can root Android because epoll is a core kernel component that cannot be disabled or unloaded, unlike optional modules exploited by bugs such as Copy Fail.<\/p>\n<p>Bad Epoll Vulnerability Privilege Escalation (Source: Jaeyoung Chung)<\/p>\n<h2 id=\"h-bad-epoll-vulnerability-allows-root-access\" class=\"wp-block-heading\"><strong>Bad Epoll Vulnerability Allows Root Access<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">It is also reachable from inside Chrome\u2019s renderer sandbox, raising the possibility of chaining a renderer exploit with Bad Epoll for full kernel code execution. Despite a race window only about six instructions wide, Chung\u2019s exploit widens the window and retries without crashing the kernel, achieving roughly 99% reliability on tested targets.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhFoh9AqO3x7vvWNKKEb0qX9hPDy4lI4kISsanAS0HU73xO-VkZaiGrOKmS7oPp4qzrUsy7bp5dtWcfnlaMSAv_ubvmw-3kMmOLkzrZbGBgJbQNCPw35QUhUDg6TczR0xR_enfIrGu4yoTExXdO2QHamhoz4Pboonei7lyr_A8DEcuIp8kr3H5OgLvPLvb4\/s1600\/badepoll1.webp\" alt=\"Bad Epoll Vulnerability Allows Root Access\"\/>Bad Epoll Vulnerability Privilege Escalation (Source: Jaeyoung Chung)<\/p>\n<p class=\"wp-block-paragraph\">A single 2023 kernel commit introduced two separate race conditions into the same 2,500-line epoll code path. The first, CVE-2026-43074, was discovered by&#8230;<\/p>\n<p><a href=\"https:\/\/cybersecuritynews.com\/bad-epoll-0-day-vulnerability\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>New &#8220;Bad Epoll&#8221; 0-Day Vulnerability Allows Root Access on Linux Servers and Android Devices https:\/\/cybersecuritynews.com\/bad-epoll-0-day-vulnerability\/&#8230;<\/p>\n","protected":false},"author":1,"featured_media":285878,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"http:\/\/cybersecuritynews.com\/wp-content\/uploads\/2026\/07\/Bad-Epoll-0-Day-Vulnerability.webp","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[90,31,89,71,27],"class_list":["post-285877","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-cve","tag-exploit","tag-flaw","tag-linux","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/285877"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=285877"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/285877\/revisions"}],"predecessor-version":[{"id":285879,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/285877\/revisions\/285879"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/285878"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=285877"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=285877"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=285877"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}