Skip to content
feed: live about
>_ 0dayNews
linux kernel

Bad Epoll (CVE-2026-46242): Linux kernel LPE hits Android too

A newly disclosed use-after-free in Linux 6.4+ kernels lets an unprivileged local user gain root. Android on affected kernels is in scope; the upstream fix is in.

Marisol "Fuse" Delgado · Published · 3 min read

If you run Linux 6.4 or newer anywhere that matters — a fleet of workstations, a container host, a shared build box, an Android device that hasn’t seen a security patch in a couple of months — Bad Epoll (CVE-2026-46242) is on your list this week. It’s a use-after-free race in the kernel’s epoll subsystem: an unprivileged local user can win a narrow cleanup race and hand themselves root. The upstream fix is in. That is the honest short version.

The bug was reported by Jaeyoung Chung and submitted as a zero-day through Google’s kernelCTF program. No in-the-wild exploitation has been observed, and it is not on the CISA Known Exploited Vulnerabilities catalog — yet. Ordinary local-privesc kernel bugs don’t usually clear KEV’s “confirmed successful in-the-wild exploitation” bar. That is not the same thing as saying you can wait.

What changed

Kernel 6.4 introduced an epoll change in 2023 that Bad Epoll rides on. Two cleanup paths can fire against the same object in a narrow window and corrupt memory in exactly the wrong way. That is as much mechanics as this write-up will offer — for the full technical writeup you want the kernelCTF submission and the upstream commit (a6dc643c6931), not us.

The other thing that changed, worth noting because everyone is going to bring it up: this is the second bug in that same stretch of epoll code inside a month. Anthropic’s Mythos model caught the earlier one (CVE-2026-43074) as part of a research push, per The Hacker News. It missed Bad Epoll. Draw whatever conclusion you like about AI-assisted kernel audit — the practical takeaway is that anything shipping 6.4+ code paths gets patched on the same schedule it always does, “AI-audited” or not.

What to actually do

Priority one — servers and workstations:

  • 6.4+ kernels: upgrade to the patched point release from your distro as soon as it lands. Ubuntu, Debian, Fedora, Rocky, SUSE, and Arch will backport the upstream commit into their supported branches on their normal security-update cadence. Watch your distro’s security advisory feed for CVE-2026-46242 specifically.
  • 6.1 LTS kernels: not affected. If you’re on 6.1 for stability reasons — RHEL 9, Debian stable, some Android device kernels — you have breathing room. Confirm the running kernel with uname -r before you assume you’re safe; a lot of “we’re on 6.1” fleets have stragglers on newer kernels for hardware reasons.
  • Container hosts: the container’s kernel is the host’s kernel. Patching the host patches the containers. Don’t skip container-heavy hosts because “workloads are isolated” — they aren’t, from the kernel.

Priority one — Android:

  • Wait for your OEM’s security patch. There is no useful action for end users until the OEM ships. Some Pixel 8s are on 6.1-based kernels and are not affected; most other current Android devices on 6.4+ backported branches are. The Hacker News piece notes an Android-specific exploit chain was still in progress at the time of disclosure — that is a real gap between “public bug” and “shipped patch on your phone” that you can’t shortcut from the user side.
  • If you manage a fleet of Android devices through MDM, this is a “next monthly patch level or better” flag, not an emergency wipe.

What you can do today, before the distro patch lands:

  • Restrict who can run untrusted binaries on affected hosts. Local privesc requires local code execution; anything that keeps random shell users off the box also blocks Bad Epoll. This is not a fix, it’s a stall.
  • On multi-tenant systems where you can’t restrict users — shared build farms, HPC clusters, kiosks — keep an eye on distro advisories and plan the reboot window now rather than during the panic on patch day.

Priority call

This ranks behind an unpatched pre-auth RCE with a public PoC on an internet-exposed appliance — the Kemp LoadMaster CVE-2026-8037 story from earlier today, and the SharePoint KEV listing, both come first. Neither of those requires local access. Bad Epoll does.

That said, it ranks ahead of most of the vendor-advisory noise. Local privesc kernel bugs are the second half of intrusion chains — the initial-access foothold plus this bug is how “compromised web app account” becomes “compromised host.” Get it patched on the normal cadence, don’t skip the reboot, and move on.

Sourcing

Found this useful? Share it.