Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
PamStealer Mimics Maccy, Silently Harvests Data
July 4, 2026
Critical FatFs Vulnerabilities Expose Millions of Embedded Devices
July 4, 2026
Critical Linux Kernel Vulnerability CVE-2023-0179 Grants Root Access
July 4, 2026
Home/CyberSecurity News/Critical Linux Kernel Vulnerability CVE-2023-0179 Grants Root Access
CyberSecurity News

Critical Linux Kernel Vulnerability CVE-2023-0179 Grants Root Access

Key Takeaways A critical vulnerability, dubbed “Bad Epoll” (CVE-2026-46242), has been discovered in the Linux kernel’s epoll subsystem. This flaw enables an unprivileged local user...

Jennifer sherman
Jennifer sherman
July 4, 2026 4 Min Read
2 0

Key Takeaways

  • A critical vulnerability, dubbed “Bad Epoll” (CVE-2026-46242), has been discovered in the Linux kernel’s epoll subsystem.
  • This flaw enables an unprivileged local user to escalate privileges to root access on Linux servers, desktops, and Android devices.
  • The vulnerability is a use-after-free issue, making it particularly dangerous as it can lead to kernel memory corruption.
  • The exploit is highly reliable, even within sandboxed environments like Chrome’s renderer, and there is no known workaround besides applying the official patch.

A severe vulnerability within the Linux kernel, identified as “Bad Epoll” (CVE-2026-46242), has come to light, posing a significant risk to a wide array of systems. This flaw allows a local attacker without elevated privileges to gain full root access on Linux-based systems, including servers, desktop environments, and Android devices. The vulnerability exploits a complex race condition combined with a use-after-free (UAF) error in the kernel’s epoll subsystem.

Table Of Content

  • Key Takeaways
  • Exploitation Details and Reliability
  • What You Should Do

The core of the “Bad Epoll” vulnerability lies in a UAF condition within the ep_remove() function. This function is responsible for clearing file->f_ep while holding file->f_lock. However, the critical section continues to use the file object during subsequent operations like hlist_del_rcu() and spin_unlock(). This timing discrepancy creates a window for exploitation.

During this critical window, a concurrent call to __fput() can observe a transient NULL value for file->f_ep. This leads __fput() to bypass eventpoll_release_file() and proceed directly to f_op->release, inadvertently freeing a struct eventpoll object that is still actively in use. This premature freeing corrupts kernel memory. Further compounding the issue, because struct file is marked as SLAB_TYPESAFE_BY_RCU, the freed memory slot can be quickly reallocated by alloc_empty_file(), allowing an attacker to trigger a kmem_cache_free() operation against an incorrect slab cache, which is a crucial step in the exploit chain.

The discovery and successful exploitation of this vulnerability were credited to researcher Jaeyoung Chung. Chung submitted the zero-day exploit to Google’s kernelCTF program, which rewards researchers for identifying and exploiting Linux kernel flaws, offering payouts of $71,337 or more for working exploits.

Unlike many Linux privilege escalation bugs that target optional or less critical kernel modules, “Bad Epoll” directly impacts the epoll subsystem. Epoll is a fundamental component of the Linux kernel and cannot be disabled or unloaded without crippling core operating system and browser functionality. This inherent nature of epoll makes “Bad Epoll” particularly dangerous, as it can even be exploited to gain root access on Android devices, a capability not typically seen with vulnerabilities like “Copy Fail.”

Exploitation Details and Reliability

A notable aspect of “Bad Epoll” is its potential reach. The vulnerability is exploitable even from within sandboxed environments, such as Chrome’s renderer process. This opens the door for attackers to chain a renderer exploit with “Bad Epoll” to achieve full kernel code execution. Despite the race window being incredibly narrow—estimated at only about six instructions wide—Chung’s exploit demonstrates remarkable sophistication. It successfully widens this timing window and retries the exploit without causing kernel crashes, achieving an impressive reliability rate of approximately 99% on tested systems.

The genesis of this vulnerability can be traced back to a single kernel commit in 2023, which inadvertently introduced two distinct race conditions into the same 2,500-line epoll code path. The first of these, CVE-2026-43074, was notably discovered by Anthropic’s AI model, Mythos, highlighting the increasing capability of advanced AI to identify complex kernel race bugs.

“Bad Epoll” was the second, more elusive flaw that Mythos failed to detect. This oversight is likely due to the extremely narrow timing window required for its trigger and the fact that it rarely activates KASAN, the kernel’s primary memory-error detection tool. Consequently, “Bad Epoll” leaves minimal runtime evidence, making it difficult to spot. The initial patch attempt by maintainers did not fully resolve the issue, and a complete, correct fix was only implemented nearly two months after the vulnerability’s initial disclosure.

The exploit itself leverages four epoll objects, configured into two pairs. By closing one pair, the race condition is triggered, while the other pair becomes the victim object. This intricate manipulation transforms an 8-byte UAF write into a UAF on a file object through a cross-cache attack. From this point, the attacker gains arbitrary kernel memory read access, typically through /proc/self/fdinfo, and then hijacks control flow using a return-oriented programming (ROP) chain to ultimately obtain a root shell.

What You Should Do

  • Apply Patches Immediately: Since epoll is a critical system component with no viable workaround, the most crucial mitigation is to apply the upstream patch as soon as possible.
  • Monitor for Distribution Backports: If you are using a specific Linux distribution, keep a close watch for official backports of the patch from your vendor and apply them without delay.
  • Regularly Update Systems: Ensure all Linux servers, desktops, and Android devices are kept up-to-date with the latest security patches to protect against this and other known vulnerabilities.
  • Implement Least Privilege: While not a direct fix for this kernel vulnerability, maintaining a strong least privilege model for local users can limit the impact of successful privilege escalation exploits.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchVulnerabilityzero-day

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

India Bans Apps Used to Remotely Disable E-Rickshaws

Next Post

Critical FatFs Vulnerabilities Expose Millions of Embedded Devices

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Apache ActiveMQ Critical Vulnerabilities Allow DoS Attacks, System Crashes
July 3, 2026
Scammers Impersonate Brands in Gambling Ads to Drive Casino Traffic
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us