A critical use-after-free race condition in the Linux kernel’s `epoll` subsystem allows local attackers to escalate privileges to root.
Here is the point-to-point breakdown for your security teams:
Bad Epoll was discovered and exploited by Jaeyoung Chung as a zero-day submission to Google kernelCTF, earning a reward of over $71,337.
The Core Facts
- CVE: CVE-2026-46242
- Flaw Type: Use-After-Free (UAF) Race Condition.
- Impact: Local Privilege Escalation (LPE) to root.
- Affected Targets: Linux kernels and Android operating systems.
How It Works
- Target: The `epoll` API, which Linux uses to monitor I/O event notifications.
- Mechanism: Exploits a race condition during event handling.
- Execution: An unprivileged local user can trigger memory corruption to overwrite kernel memory and execute arbitrary code with root privileges.

Threat Assessment
- Attack Vector: Local only. The attacker already needs a foothold on the system (e.g., via a compromised user account, web shell, or malicious app).
- Exploit Complexity: Moderate. Requires winning a race condition, but PoC (Proof of Concept) exploits are already circulating in the wild.
- Business Impact: Critical. Full system compromise, data exfiltration, and lateral movement.
Why Mythos Missed the Flaw
Despite scanning the exact same code path, the Mythos tool failed to detect “Bad Epoll” due to two critical blind spots:
- Microscopic Race Window: The vulnerability window is just ~6 instructions wide, making the required thread interleaving nearly impossible to spot.
- Silent Execution: The UAF fails to trigger KASAN (the kernel’s memory-error detector) once the prior CVE is patched, depriving the tool of the runtime signal needed to flag the bug.
Action Items & Remediation
- Linux Servers: Patch immediately. Update to the latest kernel version provided by your distribution vendor.
- Android Devices: Apply the latest monthly security patches from your OEM.
Interim Mitigations:
- Restrict local user access and enforce strict least-privilege policies.
- Monitor endpoint detection and response (EDR) logs for anomalous kernel-level activity or unexpected `su`/`sudo` executions.
- Consider deploying kernel live-patching (e.g., kGraft, kpatch) if immediate reboots aren’t possible.
Analyst Take:
While Bad Epoll requires local access, it becomes highly dangerous once an attacker is inside the system. A low-privileged user can exploit it to gain full system control. Updating your kernel is the best way to stay protected.








