
A newly disclosed flaw in the Linux kernel’s epoll subsystem, tracked as CVE-2026-46242, lets unprivileged users raise their privileges to root on both Linux and Android devices, according to SecurityAffairs. The vulnerability, nicknamed Bad Epoll, impacts kernel versions 6.4 and newer and can be triggered from within sandboxed environments such as Chrome.
The flaw is a use‑after‑free condition where two kernel threads attempt to release the same epoll object concurrently, corrupting memory and allowing an attacker to execute arbitrary code with kernel privileges. Researchers published a reliable exploit that achieves a success rate of about 99 % when run locally, and the vulnerability carries a CVSS v3 score of 7.8, rating it as high severity, with the proof‑of‑concept available on GitHub.
Affected systems include mainstream distributions that have not yet applied the latest security patches, as well as Android builds that rely on the vulnerable kernel branch, as outlined by The Hacker News. Because the exploit only requires local code execution, it poses a particular risk in multi‑user servers, containerised workloads and developer workstations where untrusted code may already run.
No threat actors have been observed exploiting Bad Epoll in the wild, and the vulnerability is not yet listed in the Known Exploited Vulnerabilities catalogue. However, the public release of the exploit code on GitHub means that attackers could quickly weaponise it, especially against systems where local access is granted to customers or third‑party services.
The issue also highlights how low‑level race conditions in widely used subsystems can undermine isolation mechanisms such as sandboxes, potentially breaking out of Chrome’s renderer process. Researchers note that the flaw was discovered through manual code review rather than automated AI analysis, highlighting the continued need for human expertise in vulnerability hunting.
Administrators should prioritise applying the kernel patches released by their distribution vendors, which address the incorrect reference counting in the epoll implementation. Where immediate updating is not feasible, tightening access controls to limit local shell access and disabling unnecessary user accounts can reduce the attack surface.
Monitoring for anomalous epoll usage, such as repeated calls from low‑privilege processes, can help detect exploitation attempts before they succeed. Finally, ensuring that container runtimes and sandboxing tools are kept up to date adds another layer of defence against similar local privilege escalation flaws.