Monday , July 6 2026
Bad Epoll

“Bad Epoll” 0-Day Vulnerability Allows Root Access on Linux Servers, Android Devices

A new Linux flaw called “Bad Epoll” (CVE-2026-46242) lets regular users get root access on Linux servers, desktops, and Android devices. They can do this by taking advantage of a race condition and a use-after-free (UAF) in the epoll system of the kernel.

Bad Epoll is a UAF vulnerability in ep_remove(), which clears file->f_ep under file->f_lock but continues using the file object inside the critical section during hlist_del_rcu() and spin_unlock().

“Bad Epoll” 0-Day Vulnerability Allows Root Access on Linux Servers, Android Devices

A new Linux flaw called “Bad Epoll” (CVE-2026-46242) lets regular users get root access on Linux servers, desktops, and Android...
Read More
“Bad Epoll” 0-Day Vulnerability Allows Root Access on Linux Servers, Android Devices

An AI performed a cyber attack without any human help for the first time

Security experts found what they think is the first time an AI carried out a cyber attack all by itself....
Read More
An AI performed a cyber attack without any human help for the first time

Singapore major data centres, cloud providers could incur fine up to $1m

Major data center and cloud service providers might have to pay a fine of up to $1 million or up...
Read More
Singapore major data centres, cloud providers could incur fine up to $1m

IBM-managed instance breach exposes personal data of 70,000 in Singapore

The Singapore Land Authority (SLA) has announced that the personal details of around 70,000 people were leaked after someone accessed...
Read More
IBM-managed instance breach exposes personal data of 70,000 in Singapore

Alibaba Reportedly Bans Claude Code for Suspected AI Tool Backdoor

Alibaba is said to be getting ready to ban the use of Anthropic’s Claude Code in its own systems starting...
Read More
Alibaba Reportedly Bans Claude Code for Suspected AI Tool Backdoor

CISA KEV Adds SharePoint RCE CVE-2026-45659 After Active Exploits

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a serious problem affecting Microsoft SharePoint Server to its list of...
Read More
CISA KEV Adds SharePoint RCE CVE-2026-45659 After Active Exploits

Nepal Unveils First “Hall of Fame” for Ethical Hackers

Nepal has started a 'Hall of Fame' program to honor cybersecurity researchers who safely report security flaws in government digital...
Read More
Nepal Unveils First “Hall of Fame” for Ethical Hackers

900+ Oracle E-Business instances Exposed Online

The Shadowserver Foundation found about 950 Oracle E-Business Suite (EBS) systems on the internet around the world. This discovery came...
Read More
900+ Oracle E-Business instances Exposed Online

India asks WhatsApp not to roll out ‘username’ feature over fraud concerns

The Indian government issued a notice WhatsApp planned to roll out its new 'username' feature. They are worried about fake...
Read More
India asks WhatsApp not to roll out ‘username’ feature over fraud concerns

Azure CLI Password Spray Impacts 78 Microsoft Accounts in 81M+ Attempts

Cybersecurity researchers have warned of a "massive, ongoing, automated password spray attack" aimed at Microsoft's Azure command-line interface (CLI), compromising...
Read More
Azure CLI Password Spray Impacts 78 Microsoft Accounts in 81M+ Attempts

A concurrent __fput() call can observe a transient NULL value, skip eventpoll_release_file(), and proceed straight to f_op->release, freeing a watched struct eventpoll that is still in use, corrupting kernel memory. Because struct file is SLAB_TYPESAFE_BY_RCU, the freed slot can also be recycled by alloc_empty_file(), letting an attacker trigger a kmem_cache_free() against the wrong slab cache.

The bug was discovered by researcher Jaeyoung Chung. He reported it as a zero-day to Google’s kernelCTF program, which pays at least $71,337 for useful Linux kernel bugs.

Bad Epoll is different from many other Linux bugs. It can give full control of Android because epoll is a main part of the kernel. This part cannot be turned off or removed, unlike optional modules used in other bugs like Copy Fail.

Bad Epoll Vulnerability Allows Root Access

It can also be accessed from inside Chrome’s renderer sandbox, which means a renderer exploit could link with Bad Epoll to run code in the kernel. Even though there is a small race window of about six instructions, Chung’s exploit expands this window and tries again without crashing the kernel, getting about 99% reliability on the targets tested.

                     Bad Epoll Vulnerability Privilege Escalation (Source: Jaeyoung Chung)

A single commit in the 2023 kernel added two race issues in the same 2,500-line epoll code. The first one, CVE-2026-43074, was found by Anthropic’s AI model Mythos, showing how advanced AI is getting at finding kernel race bugs.

Bad Epoll was the second flaw that Mythos did not notice. It was harder to find because it had a short timing window and rarely triggered KASAN, which is the main tool to detect memory errors. This made it hard to see signs during runtime. The first patch attempt by the maintainers did not fully fix the problem, and a proper solution came almost two months after the first report.

The exploit uses four epoll objects, which are in two pairs. When you close one pair, it starts the race, and the other pair becomes the victim. This changes an 8-byte UAF write into a UAF on a file object using a cross-cache attack.

From there, the attacker gains arbitrary kernel memory read access through /proc/self/fdinfo and hijacks control flow with a return-oriented programming (ROP) chain to obtain a root shell.

Epoll cannot be turned off without breaking the main OS and browser functions, so there is no other option. Administrators have to either use the main patch or wait for a backport from the distribution.

Check Also

linux

Linux Unveils New Open Source Security Project “Akrites” For (OSS) Ecosystem

The Linux Foundation said on Thursday that they are starting a new project to fix …