Linux Kernel's "Bad Epoll" Vulnerability Allows Local Privilege Escalation
A critical "Bad Epoll" vulnerability (CVE-2026-46242) has been discovered in the Linux kernel's epoll subsystem, enabling local privilege escalation and affecting Google's Android systems. The fix has been merged into the kernel.

Security researchers have identified a critical local privilege escalation (LPE) vulnerability within the Linux kernel's epoll subsystem, dubbed "Bad Epoll." The flaw, designated CVE-2026-46242, carries a high CVSS severity score of 7.8, posing a significant risk to affected systems.
The vulnerability allows an attacker to elevate privileges from a standard user to root, granting them complete control over the system. It stems from a use-after-free condition resulting from a race condition within the epoll component. Linux desktop systems, servers, and Google's Android operating system are all impacted.
The fix for this vulnerability was integrated into the main Linux kernel line in late April. The issue primarily affects systems running Linux kernel version 6.4 and later, provided the patch has not been backported. Systems still on Linux kernel 6.1 are not susceptible. Major Linux distributions, including Red Hat, SUSE, Debian, Ubuntu, and Amazon Linux, have issued security advisories detailing affected versions and their patch status.
Google's Android ecosystem is also vulnerable. Researchers demonstrated that Pixel 10 devices using Linux kernel 6.6 or newer can trigger the exploit. Conversely, devices like the Pixel 8, which use the older Linux kernel 6.1, are unaffected. The "Bad Epoll" vulnerability is particularly concerning for Android due to its potential to grant root access without relying on specific kernel modules often absent in default Android configurations.
As epoll is a core kernel mechanism, it cannot be easily disabled, leaving limited options for temporary mitigation. The most effective defense is to update to a kernel version that includes the fix. Users are strongly advised to promptly apply kernel security updates released by their respective distribution providers.