Bad Epoll: Linux Kernel eventpoll Use-After-Free Enables Local Root

Red | Vulnerability
Download Now
CVE-2026-46242: Bad Epoll — Linux Kernel eventpoll Use-After-Free Enables Local Root (TA2026188)

Threat Advisory • Vulnerability Report • TA2026188

Bad Epoll: Linux Kernel eventpoll Use-After-Free Enables Local Root

Bad Epoll (CVE-2026-46242) is a high-severity (CVSS 7.8) use-after-free race condition in the Linux kernel's eventpoll subsystem that lets an unprivileged local user escalate to root on Linux servers, desktops, and Android devices. A highly reliable public proof-of-concept exists, and the flaw is reachable even from the Chrome renderer and Android app sandboxes, with no configuration workaround — patching is the only remediation.

SEVERITY: HIGH ADMIRALTY: A1 LOCAL PRIVILEGE ESCALATION CWE-416 PUBLIC POC AVAILABLE CVSS 7.8
CVE ID
CVE-2026-46242
Published
July 06, 2026
Admiralty Code
A1
First Seen
May 30, 2026
CWE ID
CWE-416
CVSS Score
7.8
Impact
Local Privilege Escalation to Root
Affected Products
Linux kernel (servers, desktops, and Android)
Patch Status
Available (6.18.33, 7.0.10, 7.1)

Summary

Bad Epoll (CVE-2026-46242) is a high-severity (CVSS 7.8) use-after-free race condition in the Linux kernel's eventpoll subsystem that lets an unprivileged local user escalate to root on Linux servers, desktops, and Android devices. A highly reliable public proof-of-concept exists, and the flaw is reachable even from the Chrome renderer and Android app sandboxes, while typically evading KASAN detection after an adjacent fix.

The vulnerability affects mainline kernels from 6.4 onward plus backported 5.15.y and 6.1.y branches, with no configuration workaround — patching is the only remediation. There is no confirmed in-the-wild exploitation of CVE-2026-46242 to date, but the complete public disclosure and working proof-of-concept make immediate patching of the Linux kernel eventpoll subsystem urgent.


Vulnerability Details

#1 — Eventpoll Subsystem Exposed to Local Privilege Escalation

The Linux kernel's eventpoll (epoll) subsystem, the core I/O event notification mechanism that servers, network services, and web browsers all rely on to monitor many file descriptors at once, is affected by CVE-2026-46242, a high-severity local privilege escalation vulnerability known as Bad Epoll. Successful exploitation allows an unprivileged process to escalate to root, not only on Linux desktops and servers but also on Android devices, granting full administrative control over the affected host and the data it processes.

#2 — Use-After-Free Race in the ep_remove() Cleanup Path

The root cause is a use-after-free race condition in the epoll cleanup path. ep_remove() clears file->f_ep under a lock but continues using the file object inside the critical section; a concurrent __fput() in that window frees the watched struct eventpoll, and the subsequent list operation writes into freed memory. Compounding this, struct file is SLAB_TYPESAFE_BY_RCU, so the backing slot can be recycled mid-operation, yielding an attacker-controllable free against the wrong slab cache. The flaw requires only local code execution with no special privileges and no user interaction, though as a race condition it depends on winning a narrow timing window.

#3 — Highly Reliable Public Exploit, Minimal Detection Signal

That window is unusually exploitable. A public proof-of-concept succeeds around 99% of the time despite a race window only about six instructions wide, and atypically for a kernel bug, it is reachable from inside Chrome's renderer sandbox, which blocks almost every other kernel bug, as well as from Android's app sandbox. After the adjacent CVE-2026-43074 fix, the use-after-free usually no longer trips KASAN, leaving little runtime detection signal, and there is no configuration workaround because epoll cannot be turned off. No wild exploitation has been confirmed and no host or network indicators of compromise have been published as of today, so detection depends on kernel patch-state tracking rather than IOC matching.

#4 — Affected Kernel Versions and Patch Timeline

The vulnerability affects mainline Linux kernels from version 6.4 onward, with backported exposure on the long-term-support 5.15.y branch (from 5.15.209) and 6.1.y branch (from 6.1.175), and is fixed in builds 6.18.33 and 7.0.10 and the 7.1 branch. As of disclosure, no in-the-wild activity had been confirmed, but a complete public technical writeup and a working exploit make patching urgent, particularly for multi-tenant hosting, CI/CD build environments, and enterprise Android fleets with slow patch cycles.


Vulnerability Details Table

CVE IDAffected ProductsAffected CPECWE ID
CVE-2026-46242 Linux kernel: v6.4 up to (excluding) 6.18.33; v6.19 up to (excluding) 7.0.10; stable 5.15.209 up to (excluding) 5.16; stable 6.1.175 up to (excluding) 6.2. Fixed in 6.18.33, 7.0.10, and 7.1. cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* CWE-416

Recommendations

01

Apply the Upstream Kernel Patch Immediately

Update affected systems to a fixed kernel release (6.18.33, 7.0.10, or 7.1) or to a distribution kernel that has backported the corrective commit a6dc643c6931, then reboot to load the patched kernel. This fix pins the file object via epi_fget() at the entry of ep_remove() and gates the critical section on the pin succeeding, closing the race and both use-after-free conditions. Applying the patch is the only complete remediation for CVE-2026-46242.

02

Prioritize High-Exposure Hosts

Direct patching effort first at multi-user systems, container build hosts, shared-compute and multi-tenant platforms, and any environment where untrusted code can obtain a local shell, because these are the contexts in which local privilege escalation is most readily reachable and most damaging. Inventory Linux hosts and rank them by exposure to untrusted local execution.

03

Apply Distribution and Android Vendor Updates

Consult each Linux distribution's security advisories for a kernel update that includes the backport, and apply Google Android security updates promptly on devices running kernel v6.6 or later. Devices on v6.1-based kernels that did not receive the vulnerable backport are not affected and do not require this specific fix.

04

Harden Systems as an Interim Measure Only

Where immediate patching is not possible, raise the exploitation bar by enabling kernel address-space layout randomization (KASLR) and SLUB allocator randomization, since the exploit's race-widening technique depends on predictable heap layout, and use mandatory access controls such as SELinux or AppArmor to constrain what a successfully escalated process can do. These measures do not prevent the escalation itself and epoll cannot be disabled, so treat hardening strictly as a stopgap that buys time until the patch is deployed.

05

Use Live Patching Where Available

On hosts that cannot tolerate an immediate reboot, apply distribution-provided kernel live patching to close the vulnerable window without downtime, then schedule a full patched-kernel reboot at the earliest maintenance opportunity.

06

Restrict Untrusted Local Code Execution

Until affected hosts are patched, limit local shell access to trusted users and restrict or suspend untrusted or tenant-supplied workloads on shared kernels to reduce the population of principals able to trigger the race.

07

Monitor for Exploitation and Corruption Signals

Centralize kernel ring-buffer and crash-dump collection, and alert on kernel oops or panic messages referencing ep_remove, ep_remove_file, hlist_del_rcu, or ep_clear_and_put; KASAN use-after-free reports tied to kmalloc-192 eventpoll allocations; slab-corruption or unexpected kmem_cache_free warnings during heavy epoll workloads; and RCU stalls or general protection faults originating in fs/eventpoll.c. Correlate such telemetry with workloads that intensively close watched epoll descriptors from multiple threads.


Potential MITRE ATT&CK TTPs

T1068
Privilege Escalation
Exploitation for Privilege Escalation
T1588.006
Resource Development
Obtain Capabilities: Vulnerabilities

References & Patch Links

Patch Links
References