Technical details and working proof-of-concept (PoC) code for a Linux kernel privilege escalation vulnerability known as Bad Epoll are now publicly available, raising the risk of exploitation across a wide range of affected systems.

Vulnerability Details

Tracked as CVE-2026-46242 with a CVSS score of 7.8, Bad Epoll is a race-condition use-after-free bug in epoll, the Linux kernel’s I/O event notification subsystem. The flaw arises in the file-release path: when one eventpoll file descriptor list monitors another and both are closed simultaneously, one thread frees an object while the other continues writing to it. This close-versus-close race condition results in memory corruption that can be leveraged to escalate privileges.

The vulnerability affects Linux distributions running kernel version 6.4 or newer and has been confirmed on Pixel 10 devices, which ship with kernel 6.6.

Discovery and Disclosure Timeline

The bug was discovered by Jaeyoung Chung of Seoul National University’s Computer Security Lab and submitted to Google’s kernelCTF program as a zero-day. The flaw was introduced in 2023 in the same commit that brought in CVE-2026-43074, a separate epoll race condition found by Anthropic’s Mythos. That earlier fix is believed to have masked Bad Epoll’s detection, because with CVE-2026-43074 patched, the new bug no longer triggers KASAN (Kernel Address Sanitizer), the kernel’s built-in dynamic memory error detector.

The fix timeline itself was notable. According to Chung, the maintainers’ first patch did not fully resolve the issue, and a correct patch did not land until two months after initial reporting, an unusually long window for a kernel security fix.

Exploit Technique

Chung’s published PoC exploit uses Bad Epoll to:

  • Leak kernel memory addresses
  • Hijack an indirect function call to control the CPU’s instruction pointer register
  • Gain root privileges through a Return-Oriented Programming (ROP) chain

Recommendations

Security teams should prioritize patching systems running Linux kernel 6.4 and later. Android device administrators, particularly those managing fleets of recent Pixel hardware, should apply available security updates promptly. Given the public availability of working exploit code, the window for opportunistic exploitation is now open.