CyberSecurityBoardThreat Intel · CVEs · Products
Critical CVEs

New Bad Epoll Linux Kernel Flaw (CVE-2026-46242) Enables Root Privilege Escalation on Android and Linux Systems

July 3, 2026

A newly disclosed Linux kernel vulnerability, dubbed “Bad Epoll” and tracked as CVE-2026-46242, allows unprivileged local users to gain full root access on affected systems, including Android devices. Discovered by researcher Jaeyoung Chung, the flaw is a use-after-free bug in the epoll subsystem, a standard Linux feature for monitoring multiple file descriptors. The vulnerability arises from a race condition where two kernel threads attempt to clean up the same internal object simultaneously, leading to memory corruption that can be exploited for privilege escalation.

Chung’s exploit widens the race window to achieve root access approximately 99% of the time on tested systems. Notably, the bug can be triggered from within Chrome’s renderer sandbox, bypassing a common security boundary, and affects Android devices running kernel versions 6.4 or newer. The flaw was submitted as a zero-day to Google’s kernelCTF program, and a public proof-of-concept is available. There is no evidence of active exploitation in the wild, and it is not listed on CISA’s Known Exploited Vulnerabilities catalog.

The bug traces back to a 2023 code change in the epoll subsystem. Interestingly, Anthropic’s AI model, Mythos, had previously discovered a related flaw (CVE-2026-43074) in the same code area but missed this one, highlighting the difficulty of detecting race conditions even with advanced AI. The fix is available via upstream commit a6dc643c6931, and users are advised to apply patches from their distribution vendors. Epoll cannot be disabled, so patching is the only mitigation.

Bad Epoll joins a series of kernel privilege escalation bugs targeting Android, including Bad Binder, Bad IO_uring, and Bad Spin. It contrasts with more recent deterministic bugs like Copy Fail (CVE-2026-31431) and Dirty Frag, which are easier to exploit. The discovery underscores ongoing challenges in kernel security, where race conditions remain particularly elusive.

CVEs: CVE-2026-46242, CVE-2026-43074, CVE-2026-31431, CVE-2026-31694, CVE-2026-4747, CVE-2026-55200, CVE-2026-46817

Companies: Google, Anthropic, Bynario

Products: Mythos, kernelCTF