CVE: CVE-2026-46242 | CVSS: 7.8 (High) | Vendor: Linux Kernel | Product: epoll subsystem
What Is the Vulnerability
CVE-2026-46242, dubbed “Bad Epoll,” is a critical 0-day vulnerability in the Linux kernel’s epoll event notification subsystem. The flaw is a race condition combined with a use-after-free that enables an unprivileged local user to escalate to root privileges. The epoll subsystem is a core I/O multiplexing facility used extensively by high-performance server software including nginx, Apache, Node.js, Python asyncio, databases, and Android’s event loop infrastructure, making the attack surface vast.
The vulnerability allows an attacker with a low-privileged local account to trigger a use-after-free by racing operations on epoll file descriptors, corrupting kernel memory and gaining arbitrary code execution in kernel context. No special capabilities or elevated privileges are required — any local user can exploit the condition.
Versions Affected
Linux kernel versions 5.10 through 6.11 are confirmed affected. This encompasses:
- Enterprise server distributions (RHEL, Ubuntu LTS, Debian, SUSE)
- Desktop distributions (Fedora, Arch, Ubuntu Desktop)
- Android devices running kernels 5.10+ (most devices shipped since 2021)
- Container hosts and Kubernetes nodes
- Cloud VM images from major providers
On Android, successful exploitation means full device compromise: access to the secure element, credential storage, keystore, and bypass of application sandboxing. An attacker with app-level access or ADB shell access can achieve root-level control of the device.
Exploited?
This is a newly disclosed 0-day. No confirmed exploitation in the wild has been reported, but proof-of-concept exploit code is expected within days of public disclosure. The attack is reliability considered high given the deterministic nature of the race window in certain kernel configurations.
Fix
Kernel patches are under development and expected imminently via the Linux kernel mailing list. Major distribution vendors (Red Hat, Canonical, Google) are preparing coordinated patch releases. End-user and enterprise patches will roll out via standard update channels over the coming days.
Recommendations
- Prioritise multi-tenant servers and container hosts: Any environment where untrusted local users coexist with sensitive workloads.
- Monitor for kernel updates: Apply patches as soon as they are available from your distribution vendor.
- Restrict local access: Minimize local shell access on critical systems during the exposure window.
- Android device management: Enterprise MDM solutions should expedite OTA updates once Google releases the Android security patch backport.
- Audit your environment: Identify all systems running Linux kernel 5.10+ and prioritize based on multi-tenancy and exposure.
References
- CybersecurityNews — Initial disclosure report
- Linux Kernel Mailing List — Patch discussion thread
- Google Android Security Bulletin (forthcoming)
Part of the Vulnerability Intelligence series. See the July 4, 2026 VIR.
