// 1 ZERO-DAY · 1 CVE · 1 EXPLOIT IN THE LAST 24H
CVE-2026-46242 is a race condition in the Linux kernel's epoll subsystem that allows an unprivileged user to gain root privileges. The exploit works from within Chrome's renderer sandbox and reaches Android devices running kernel 6.4 and later. No workaround exists

On July 3, 2026, CVE-2026-46242 surfaced — a vulnerability in the Linux kernel's epoll subsystem that lets an unprivileged user obtain root with a near-reliable exploit. Researcher Jaeyoung Chung demonstrated the bug is exploitable from inside Chrome's renderer sandbox, which blocks almost every other kernel bug, and can reach Android, a rare combination for Linux privilege escalation. No workaround exists: epoll is a core kernel component and cannot be disabled.

Key Takeaways
  • CVE-2026-46242 is a use-after-free race condition in the Linux kernel's epoll subsystem, rated CVSS 7.8 HIGH, enabling root escalation from an unprivileged user.
  • The exploit achieves 99% reliability despite a race window of only six machine instructions, thanks to window-widening and crash-free retry techniques.
  • The bug is exploitable from Chrome's sandbox and on Android devices with kernel 6.4+, including Pixel 10; Pixel 8 and devices based on kernel 6.1 are not affected.
  • The bug was introduced in April 2023 (commit 58c9b016e128), discovered by Jaeyoung Chung, and fixed in mainline on April 24, 2026 (commit a6dc643c6931) after an initial failed attempt.

How the Race Condition Works in the Heart of epoll

The epoll subsystem manages event polling on file descriptors, one of the most used primitives in server applications and browsers. CVE-2026-46242 stems from a collision between two cleanup paths: both attempt to clean up the same internal object, one freeing the memory while the other is still writing to it. As The Hacker News explained: "Bad Epoll is a 'use-after-free' bug. Two parts of the kernel try to clean up the same internal object at the same time. One frees the memory while the other is still writing into it."

The vulnerability window is microscopic: about six machine instructions. A random attempt to hit it fails almost always. Chung solved the problem by artificially widening the window and implementing a retry mechanism that does not crash the system, reaching root in 99% of cases on tested systems.

The exploit follows a sophisticated path: from the initial UAF on the epoll object to a UAF on a file object, then a cross-cache attack, followed by arbitrary kernel read via /proc/self/fdinfo, and finally a ROP chain to obtain a shell with maximum privileges. The public PoC on GitHub achieves 98% reliability against the Google kernelCTF target cos-121-18867.294.100.

"The catch is timing. The window where the two paths collide is only about six machine instructions wide, so a random attempt almost never lands in it. Chung's exploit widens that window and retries without crashing, reaching root about 99% of the time on tested systems." — Swati Khandelwal, The Hacker News

Chrome and Android: Two Targets That Usually Resist

Most Linux privilege escalation bugs cannot be triggered from Chrome's sandbox or reach Android. Bad Epoll breaks both boundaries. Chrome's renderer sandbox is designed to block direct access to dangerous syscalls, but epoll is among the permitted primitives — an architectural necessity for handling asynchronous events in the browser.

On Android, the vector is even more insidious. According to Chung's repository, only about ten of the more than 130 vulnerabilities exploited on kernelCTF are candidates for Android rooting. Bad Epoll is one of them. Pixel 10, which runs kernel 6.6+, is vulnerable; Pixel 8 and devices based on kernel 6.1 are not. The full Android exploit is marked as "in progress" at the time of publication.

This dual reachability — Chrome and Android — turns a kernel bug into an application and mobile security problem, not just a server issue.

Timeline and the Tortuous Path to the Fix

The bug was introduced on 2023-04-08 with commit 58c9b016e128, in the Linux 6.4 series. It lay dormant for nearly three years before Chung discovered it and reported it as a zero-day to Google kernelCTF, earning a reward of over $71,337.

The fix path was anything but linear. Chung sent the initial report to security@kernel.org on February 17, 2026. Maintainers proposed a prototype patch, but it was not a valid fix. The definitive fix landed in mainline only on April 24, 2026 with commit a6dc643c6931: roughly two months of iteration on a race condition that demands deep understanding of epoll cleanup paths.

As of now, the bug does not appear on the CISA Known Exploited Vulnerabilities list, and the only known working code is the kernelCTF PoC. No signs of in-the-wild exploitation have emerged.

The AI Mythos Found the Neighbor, Not the Target

The most interesting angle of Bad Epoll is what it reveals about the limits of AI in vulnerability research. Anthropic's Mythos, an automated bug-finding system, had already examined the same epoll code area and found CVE-2026-43074 — a related but distinct vulnerability. Bad Epoll slipped through.

The reason is technical, not accidental. Bad Epoll's race condition has such a narrow window that it does not trigger runtime detection tools like KASAN after the first fix attempt, making the vulnerability invisible to analysis methods that depend on memory corruption evidence. Human specialization in timing and race conditions — the ability to reason about instruction sequences and intermediate kernel states — remains a domain difficult to replicate automatically.

Chung notes in his repository that "no one can be sure" of the exact reason Mythos missed it, but the correlation between the minuscule window and the absence of runtime evidence offers a plausible hypothesis. The case does not prove AI useless in vulnerability research, but it delineates its boundaries: race conditions are terrain where specialized human research retains a significant advantage.

What to Do Now

System administrators running Linux kernel 6.4 or later must plan to apply commit a6dc643c6931 or distribution backports. No alternative mitigation exists: epoll cannot be disabled without breaking fundamental applications.

Browser security teams using Chrome-like sandboxes must consider that this class of kernel bug is bypassable, and evaluate whether to add controls on epoll calls or reduce the exposed surface.

Android users with Pixel 10 or equivalent devices running kernel 6.6+ must wait for OEM updates incorporating the mainline fix. The absence of a complete Android exploit at the time of reporting offers a mitigation window, but the public PoC makes it narrow.

Bug bounty programs should update their risk matrices: race conditions with high reliability and multi-platform reachability deserve recalibrated severity categories, even when the technical window appears minuscule.

Why Bad Epoll Marks a Turning Point

The lesson of Bad Epoll is not that the Linux kernel is fragile, but that the oldest and most trusted primitives — epoll has existed since 2002 — can hide competition defects introduced by later refactoring. The 2023 commit that introduced the bug was not an exotic addition, but a modification to the cleanup path that accidentally duplicated memory release responsibility.

For the security industry, the case offers two convergent readings. On one hand, confirmation that browser sandboxes remain high-value targets and kernel bugs are still the key to breaking them. On the other, the demonstrated limit of AI systems like Mythos in detecting tight-window race conditions without runtime evidence — a field where human expertise in timing and manual assembly code analysis retains an irreplaceable role. AI found Bad Epoll's sibling; Jaeyoung Chung found Bad Epoll itself. The difference is not marginal.

FAQ

Which kernel versions are exactly vulnerable?

The bug was introduced in kernel 6.4 (April 2023) and is present in all subsequent versions until the April 24, 2026 fix. Devices with kernel 6.1 or earlier, such as Pixel 8, are not affected.

Why is there no workaround?

Epoll is a fundamental system call for asynchronous event polling on file descriptors. Disabling it would render server applications, browsers, and asynchronous frameworks unusable. The source indicates no alternative mitigation configuration.

What is Google kernelCTF and why does the bounty exceed $71,000?

It is a Google program that rewards demonstrated exploits on specially configured Linux kernel targets. The reward of over $71,337 reflects the technical difficulty and demonstrated reliability of the exploit.

Sources

Information verified against cited sources and current as of publication.

Sources


Sources and references
  1. thehackernews.com
  2. bleepingcomputer.com
  3. arstechnica.com
  4. github.com
  5. nvd.nist.gov