PoC for Linux ‘Bad Epoll’ bug allows local root
Proof-of-concept exploit for the Linux ‘Bad Epoll’ bug is public and can let unprivileged processes obtain root on desktops, servers and Android devices.
A proof-of-concept exploit for a Linux kernel vulnerability known as “Bad Epoll” has been published. The exploit can allow an unprivileged process to gain root privileges on desktop, server and Android systems.
The flaw is tracked as CVE-2026-46242 and carries a CVSS score of 7.8. It is a race-condition use-after-free bug in epoll, the kernel facility that monitors large numbers of file descriptors. Epoll keeps an interest list and a ready list; if one epoll instance monitors another and both are closed at the same time, one path can free a shared object while the other continues to write to it, producing a use-after-free.
Jaeyoung Chung of Seoul National University’s Computer Security Lab discovered the vulnerability and reported it to kernelCTF as a zero-day. Chung published proof-of-concept code that leaks kernel memory and hijacks an indirect call to control the CPU instruction pointer, then uses a Return-Oriented Programming (ROP) chain to escalate privileges to root. The exploit runs from an unprivileged process and can be used by a local attacker without prior access.
The bug was introduced in 2023 in the same change that also introduced CVE-2026-43074. After the earlier issue was fixed, Bad Epoll does not reliably trigger KASAN, the kernel’s dynamic memory error detector, which contributed to it being missed in earlier analysis. Maintainers applied an initial patch that did not fully resolve the issue; a correct patch was merged about two months after the bug was first reported.
Linux kernels version 6.4 and newer are affected. The vulnerability has been confirmed on devices running kernel 6.6, including Pixel 10 phones, indicating both desktop/server and Android devices are vulnerable. The publication of PoC code increases the risk of active exploitation for systems that have not received the corrected updates.
Kernel maintainers deployed fixes upstream. System administrators and users should install vendor or distribution updates that include the upstream fix or apply kernel updates addressing CVE-2026-46242. Devices that cannot be updated should be treated as exposed to local privilege-escalation risk.
Epoll is widely used in Linux to monitor many file descriptors efficiently. The published PoC follows a complete exploit chain from the close-vs-close race condition to kernel memory disclosure and then to code execution using ROP, resulting in full privilege escalation on affected systems.




