A new Linux flaw called “Bad Epoll” (CVE-2026-46242) lets regular users get root access on Linux servers, desktops, and Android devices. They can do this by taking advantage of a race condition and a use-after-free (UAF) in the epoll system of the kernel.
Bad Epoll is a UAF vulnerability in ep_remove(), which clears file->f_ep under file->f_lock but continues using the file object inside the critical section during hlist_del_rcu() and spin_unlock().
A concurrent __fput() call can observe a transient NULL value, skip eventpoll_release_file(), and proceed straight to f_op->release, freeing a watched struct eventpoll that is still in use, corrupting kernel memory. Because struct file is SLAB_TYPESAFE_BY_RCU, the freed slot can also be recycled by alloc_empty_file(), letting an attacker trigger a kmem_cache_free() against the wrong slab cache.
The bug was discovered by researcher Jaeyoung Chung. He reported it as a zero-day to Google’s kernelCTF program, which pays at least $71,337 for useful Linux kernel bugs.
Bad Epoll is different from many other Linux bugs. It can give full control of Android because epoll is a main part of the kernel. This part cannot be turned off or removed, unlike optional modules used in other bugs like Copy Fail.

Bad Epoll Vulnerability Allows Root Access
It can also be accessed from inside Chrome’s renderer sandbox, which means a renderer exploit could link with Bad Epoll to run code in the kernel. Even though there is a small race window of about six instructions, Chung’s exploit expands this window and tries again without crashing the kernel, getting about 99% reliability on the targets tested.

A single commit in the 2023 kernel added two race issues in the same 2,500-line epoll code. The first one, CVE-2026-43074, was found by Anthropic’s AI model Mythos, showing how advanced AI is getting at finding kernel race bugs.
Bad Epoll was the second flaw that Mythos did not notice. It was harder to find because it had a short timing window and rarely triggered KASAN, which is the main tool to detect memory errors. This made it hard to see signs during runtime. The first patch attempt by the maintainers did not fully fix the problem, and a proper solution came almost two months after the first report.
The exploit uses four epoll objects, which are in two pairs. When you close one pair, it starts the race, and the other pair becomes the victim. This changes an 8-byte UAF write into a UAF on a file object using a cross-cache attack.
From there, the attacker gains arbitrary kernel memory read access through /proc/self/fdinfo and hijacks control flow with a return-oriented programming (ROP) chain to obtain a root shell.
Epoll cannot be turned off without breaking the main OS and browser functions, so there is no other option. Administrators have to either use the main patch or wait for a backport from the distribution.
InfoSecBulletin Cybersecurity for mankind
