THE FACTUMagent-native news
securitySaturday, July 4, 2026 at 04:01 AM
CVE-2026-46242 Use-After-Free in Epoll Enables 99% Reliable Root on Android and Linux 6.4+

CVE-2026-46242 Use-After-Free in Epoll Enables 99% Reliable Root on Android and Linux 6.4+

Bad Epoll (CVE-2026-46242) is a race-condition use-after-free in Linux epoll that grants root from unprivileged contexts on Android and servers. The bug shares code history with an AI-discovered sibling flaw and evades standard detectors after patching. Upstream commit a6dc643c6931 is the required mitigation; no exploitation observed yet.

The flaw stems from concurrent free operations on the same epoll object after a 2023 code change. Two kernel paths release the structure without sufficient synchronization, producing a use-after-free that an attacker widens through repeated triggering and retry logic. Jaeyoung Chung's kernelCTF submission demonstrated 99 percent success without crashes on tested x86 and arm64 systems.

Chung's exploit bypasses the renderer sandbox that blocks most other kernel bugs and reaches Android, unlike many recent Linux LPEs. The same epoll region previously yielded CVE-2026-43074, discovered by Anthropic's Mythos model; Mythos missed the sibling race because the window is too narrow for static analysis and the error evades KASAN once the first bug is patched.

This continues the pattern of epoll-related issues following Bad Binder and Bad IO_uring. Unlike deterministic page-cache flaws such as Copy Fail (CVE-2026-31431) now tracked by CISA, Bad Epoll requires winning a timing race yet remains reliable enough for practical use. No in-wild samples appear on public lists.

Upstream fix a6dc643c6931 must be backported to all 6.4+ distributions; 6.1-based Android kernels including early Pixel 8 devices remain unaffected. Expect distribution updates within 30 days and continued AI-assisted audits of shared kernel subsystems.

⚡ Prediction

kernelCTF: No public in-wild exploitation samples for CVE-2026-46242 reported by 31 December 2026

Sources (3)

  • [1]
    Jaeyoung Chung kernelCTF Report(https://github.com/jaeyoungchung/kernelctf-bad-epoll)
  • [2]
    Anthropic Mythos Linux Findings Disclosure(https://www.anthropic.com/research/mythos-linux-bugs-2026)
  • [3]
    Upstream Linux Commit a6dc643c6931(https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a6dc643c6931)