Bad Epoll Zero-Day Linux Kernel Flaw Lets Unprivileged Users Escalate to Root
A severe zero-day vulnerability dubbed Bad Epoll has been publicly disclosed in the Linux kernel’s epoll I/O event notification subsystem, allowing any unprivileged local user to escalate privil

A severe zero-day vulnerability dubbed Bad Epoll has been publicly disclosed in the Linux kernel’s epoll I/O event notification subsystem, allowing any unprivileged local user to escalate privileges to root on Linux desktops, servers, and Android devices alike. The bug was found and exploited by researcher Jaeyoung Chung, who submitted it as a zero-day to […] The post Bad Epoll Zero-Day Linux Kernel Flaw Lets Unprivileged Users Escalate to Root appeared first on Cyber Security News.
A severe zero-day vulnerability dubbed Bad Epoll has been publicly disclosed in the Linux kernel’s epoll I/O event notification subsystem, allowing any unprivileged local user to escalate privileges to root on Linux desktops, servers, and Android devices alike. The bug was found and exploited by researcher Jaeyoung Chung, who submitted it as a zero-day to Google’s kernelCTF program, which pays $71,337 or more for working Linux kernel exploits. Notably, Anthropic’s AI model Mythos had examined the same epoll code and found a related race bug (CVE-2026-43074) but missed Bad Epoll entirely. Bad Epoll Zero-Day Linux Kernel Flaw Bad Epoll is a race-condition use-after-free (UAF) vulnerability embedded inside the Linux kernel’s epoll subsystem a core facility used by virtually every high-performance server and application Unprivileged process escalating to root on Google kernelCTF (Source: jaeyoung) Bad Epoll stands out because it is one of roughly 10 kernelCTF-exploited bugs out of about 130 capable of rooting Android, since most privilege-escalation flaws rely on kernel modules that Android never loads. It can also be triggered from inside Chrome’s renderer sandbox, raising the possibility of chaining a renderer exploit with Bad Epoll to reach kernel code execution. Unlike module-based bugs that admins can neutralize by unloading vulnerable modules, epoll is a core kernel feature with no kill-switch, meaning patching is the only fix. The flaw lies in ep_remove(), which clears file->f_ep under file->f_lock but still uses the file object during hlist_del_rcu() and spin_unlock(). A concurrent __fput() call can observe a transient NULL value, skip eventpoll_release_file(), and proceed to free a struct eventpoll object that is still in active use, corrupting kernel memory. Because struct file uses SLAB_TYPESAFE_BY_RCU, the freed slot can be recycled via alloc_empty_file(), enabling a cross-cache attack. The race window is only about six instructions wide, yet Chung’s exploit reliably widens it using four linked epoll objects grouped into two pairs, then escalates the 8-byte UAF write into full control of a file object’s contents. From there, it achieves arbitrary kernel memory reads via /proc/self/fdinfo and builds a ROP chain to spawn a root shell, reaching roughly 99% reliability on tested targets. The bug was introduced by commit 58c9b016e128 on 2023-04-08 and fixed by commit a6dc643c69311677c574a0f17a3f4d66a5f3744b on 2026-04-24. Researchers reported it to security@kernel.org on 2026-02-17, but the maintainers’ first patch attempt was incomplete, stalling the fix until a re-report on 2026-04-22 finally produced the correct patch. Race window, and how the exploit drives (Source: jaeyoung) Jaeyoung stated that systems running kernel v6.4 or newer without the backported fix are vulnerable, while older v6.1-based kernels, including Pixel 8 devices, are unaffected since the bug was introduced in v6.4. The current proof-of-concept targets Google kernelCTF’s lts-6.12.67 (99% reliable) and cos-121-18867.294.100 (98% reliable), while a full Android root exploit for the Pixel 10 is still in progress. Administrators should check kernel version with uname -r and apply their distribution’s security update, since Ubuntu, Debian, Red Hat, and SUSE are rolling out backports of the upstream fix. There is no runtime workaround, so patching and rebooting remain the only path to remediation. Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google. The post Bad Epoll Zero-Day Linux Kernel Flaw Lets Unprivileged Users Escalate to Root appeared first on Cyber Security News.
Join the Discussion
Comments coming soon. Follow us on social media for real-time discussions.


