Linux Bad Epoll Vulnerability: Critical Root Access Flaw with POC Exploit Released

www.news4hackers.com-linux-bad-epoll-vulnerability-critical-root-access-flaw-with-poc-exploit-released-linux-bad-epoll-vulnerability-critical-root-access-flaw-with-poc-exploit-released

Technical details and proof-of-concept (PoC) code targeting a recent Linux kernel vulnerability that could enable unprivileged processes to achieve root access on desktops, servers, and Android devices have been disclosed.

Technical Details

The flaw, designated as CVE-2026-46242 with a CVSS score of 7.8, is termed Bad Epoll. It involves a race-condition use-after-free vulnerability within the epoll subsystem, a core component of the Linux kernel responsible for managing I/O events.

Vulnerability Overview

Epoll optimizes interactions with multiple file descriptors by maintaining an interest list and a ready list, allowing the kernel to efficiently monitor and return active descriptors. Bad Epoll arises from a close-vs-close race condition in the epoll file-release mechanism, resulting in a use-after-free scenario.

Exploitation Mechanism

This occurs when one process closes a file descriptor while another simultaneously accesses it, leading to unpredictable memory behavior. The vulnerability was identified by Jaeyoung Chung from Seoul National University’s Computer Security Lab, who submitted it as a zero-day to Google’s kernelCTF program.

Discovery and Reporting

Bad Epoll was introduced in 2023 through a commit that also included CVE-2026-43074, another epoll-related race condition. The latter was discovered by Anthropic’s Mythos project, which reportedly overlooked Bad Epoll because its exploitation requires bypassing KASAN (Kernel Address Sanitizer), a memory error detection tool.

Remediation Challenges

Chung noted that remediation of Bad Epoll proved challenging. Initial patches failed to fully address the issue, with a definitive fix implemented two months after the vulnerability was reported. This delay contrasts with the typical urgency applied to kernel security flaws.

PoC Exploit and Impact

A PoC exploit developed by Chung demonstrates how Bad Epoll can be leveraged to leak kernel memory and manipulate indirect calls, ultimately allowing control over the CPU’s instruction pointer. Systems running Linux kernel versions 6.4 or later are affected, including Pixel 10 devices operating on kernel 6.6.

Urgency for Mitigation

The public release of the PoC underscores the urgency for mitigation, as the flaw could enable privilege escalation attacks if exploited in the wild. The vulnerability highlights ongoing risks in kernel-level code, particularly in complex subsystems like epoll.

Conclusion

Researchers emphasize the need for rigorous testing and timely patching to prevent exploitation, especially given the widespread use of affected kernel versions across diverse platforms.



About Author

en_USEnglish