Vulnerabilities

Proof-of-Concept Exploit Released for Linux ‘Bad Epoll’ Root Access Vulnerability

Organizations are urged to patch after proof-of-concept code makes the Linux root escalation flaw easier to exploit.

Linux

Technical details and proof-of-concept (PoC) code targeting a recent Linux kernel vulnerability that could allow unprivileged processes to gain root privileges on desktops, servers, and Android phones are now public.

The security defect, tracked as CVE-2026-46242 (CVSS score of 7.8) and referred to as Bad Epoll, is described as a race-condition use-after-free bug in epoll, the Linux kernel’s I/O event notification facility.

Instead of asking programs to poll many file descriptors one by one, the Linux kernel maintains an epoll instance with an interest list and a ready list of file descriptors and return descriptors.

Bad Epoll is a close-vs-close race condition in epoll’s file-release path that leads to use-after-free.

If one eventpoll list of file descriptors monitors another and the two are closed simultaneously, one frees an object while the other continues to write to it.

The flaw was discovered by Jaeyoung Chung of Seoul National University’s Computer Security Lab, who reported it to Google kernelCTF as a zero-day submission.

Advertisement. Scroll to continue reading.

Bad Epoll was introduced in 2023 in a commit that also introduced CVE-2026-43074, another race condition in the epoll code that was found by Anthropic’s Mythos.

Mythos likely missed it because, with CVE-2026-43074 fixed, Bad Epoll doesn’t trigger KASAN (Kernel Address Sanitizer), the Linux kernel’s dynamic memory error detector.

“Bad Epoll was hard to fix, too. The maintainers’ first patch did not fully fix the issue, and a correct patch landed only two months after the bug was first reported. That is a long time for a kernel that usually handles security issues with urgency,” the researcher notes.

Chung has published a PoC exploit that triggers Bad Epoll to leak kernel memory and hijack an indirect call to control the CPU’s instruction pointer register and obtain root privileges via a Return-Oriented Programming (ROP) chain.

Linux distributions based on kernel version 6.4 or newer are affected by the vulnerability. Bad Epoll was also confirmed on Pixel 10 devices, which are running kernel version 6.6.

Related Content

Vulnerabilities

The 16-year-old Januscape flaw affects Linux's KVM hypervisor, allowing attackers to escape virtual machines and potentially execute code on the underlying host.

Endpoint Security

A variant of DirtyFrag, the flaw allows unprivileged local users to manipulate the Linux page cache and gain root privileges.

Malware & Threats

Arch Linux suspended account registrations in response to the wave of malicious packages being uploaded to AUR.

Vulnerabilities

An improper authentication bug allows attackers to escalate their privileges and escape containers.

Vulnerabilities

Proof-of-concept (PoC) exploit code has been released for the CIFSwitch flaw, which allows low-privileged users to escalate to root on vulnerable Linux systems.

Endpoint Security

The vulnerability, tracked as CVE-2026-46300, is similar to the recently disclosed exploits named Dirty Frag and Copy Fail.

Endpoint Security

Also called Copy Fail 2 and tracked as CVE-2026-43284 and CVE-2026-43500, the exploit was disclosed before a patch was released.

Endpoint Security

CISA has added the bug to its KEV list, and Microsoft has observed limited exploitation, mainly associated with PoC testing.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version