Bad Epoll: A Linux Kernel Bug Lets Any User Become Root

07.07.2026 4
Bad Epoll: A Linux Kernel Bug Lets Any User Become Root

A security researcher has published a highly reliable, working exploit for a Linux kernel vulnerability that lets an ordinary, unprivileged user take full control of a machine as root - no password, no social engineering, just local code execution. The flaw, a Local Privilege Escalation (LPE) bug tracked as CVE-2026-46242 and nicknamed "Bad Epoll," affects Linux servers, desktops, and Android phones running kernel 6.4 or newer. A patch already exists upstream, but it has not been widely deployed.

How the Bad Epoll Use-After-Free Works

The bug lives in epoll, the mechanism the Linux kernel uses to let a single program watch thousands of open files or network connections at once - something every web server, database, and VPN daemon relies on. Researcher Jaeyoung Chung of Seoul National University's Computer Security Lab found that when two of epoll's internal cleanup routines, inside the kernel's ep_remove() path, run at the same moment, one can free a piece of kernel memory while the other is still writing to it. That use-after-free window is only about six CPU instructions wide, but Chung's proof-of-concept, now public on GitHub, leverages the corrupted memory to build a return-oriented-programming (ROP) chain that hijacks the kernel's execution flow and hands the attacker root.

Important: according to Chung's own testing, the exploit succeeds roughly 99% of the time on affected systems - a reliability rate far above what most kernel exploits achieve, and one of the reasons the flaw has alarmed researchers this week.

Who Is Exposed

  • Linux servers and desktops: any distribution running a mainline kernel from version 6.4 onward is vulnerable.
  • Android devices: confirmed working on a Google Pixel 10 (kernel 6.6); older devices still on the 6.1 long-term-support branch are not affected.
  • Browsers as an entry point: because the exploit only needs local code execution, researchers note it could in theory be launched from inside a sandboxed process such as a Chrome renderer, turning a browser bug into a full device takeover.

The kernel maintainers' first attempt at a fix, released after an earlier related bug (CVE-2026-43074) was patched, did not fully close the hole - it took roughly two more months before a correct fix landed in the mainline kernel. That slow, two-stage patching process is exactly why so many systems remain exposed: distributions and Android vendors are often several kernel-patch cycles behind mainline, and self-managed servers frequently lag even further.

How to Check If You Are Affected

Run uname -r in a terminal to see your running kernel version. If it reports 6.4 or higher and your distribution or device has not shipped a security update since early July 2026, treat the system as vulnerable and apply the latest kernel or vendor patch as soon as possible.

Why This Matters Beyond Personal Computers

Bad Epoll doesn't need a network connection to work - it needs local execution, which normally sounds reassuring. But "local" today covers a lot of ground: shared hosting boxes, CI/CD build runners, cloud VPS instances, self-hosted network appliances, and any Linux machine that ever runs untrusted code, including a downloaded script, a container escape, or a compromised browser tab. Once an attacker has any foothold at all, no matter how limited, Bad Epoll turns it into complete administrative control.

The Broader Pattern

Bad Epoll is also a reminder of how much modern network infrastructure - including the Linux boxes that run VPN gateways, self-hosted proxies, and home routers - depends on a kernel subsystem most users have never heard of. A single unpatched box on a shared network, or a VPN provider slow to roll out kernel updates on its server fleet, can turn a "local-only" bug into a much bigger exposure for everyone routed through it. This story continues a running theme this year: from FortiGate credential theft to Citrix Bleed, the weakest link in privacy infrastructure keeps turning out to be unpatched, boring-sounding kernel and firmware code rather than the encryption itself.

Conclusion: Bad Epoll shows that even a mature, heavily audited piece of the Linux kernel can hide a near-perfectly reliable path to root for years. The fix already exists - the real risk now is simply how many servers, routers, and phones will still be running the vulnerable code by the time attackers start using it in the wild.
Tags: cybersecurity security internet security vpn privacy linux

Read also