'Bad Epoll' Linux Vulnerability Gives Attackers Root Access — Android Phones Are Affected Too

Jaeyoung Chung, a security researcher at Seoul National University, found something worrying in the Linux kernel earlier this year. The vulnerability, now tracked as CVE-2026-46242 and nicknamed “Bad Epoll,” lives in the epoll subsystem, a core piece of the Linux kernel that handles how applications respond to I/O events. It earned a CVSS score of 7.8, putting it in the high-severity bucket, and its reach extends well beyond desktop Linux.

The bug is a race condition in the epoll subsystem that leads to a use-after-free (UAF) flaw. In plain terms: an attacker who already has limited access to a machine can exploit it to escalate their privileges all the way to root, giving them full control over the system. The Hacker News first reported on the discovery.

Systems running Linux kernel 6.4 or later are vulnerable. That includes the vast majority of modern Linux distributions — Red Hat, SUSE, Debian, Canonical’s Ubuntu, and Amazon Linux have all issued security advisories detailing which versions need patching. Machines still on the 6.1 kernel line are safe, since the bug was introduced in 6.4.

What makes Bad Epoll especially notable is its impact on Android. Chung demonstrated that Pixel 10 devices, which use a Linux 6.6-based kernel, can trigger the exploit through a proof-of-concept. Pixel 8 phones and other devices on the Linux 6.1 kernel are not affected.

According to Chung, Bad Epoll is one of a small handful of Android-relevant kernel vulnerabilities that actually work in practice. Of the roughly 130 exploitable bugs tracked in kernelCTF, only about 10 can be turned into a full root exploit on Android. Most others rely on kernel modules that Android simply doesn’t load by default, making them dead ends for attackers. Bad Epoll is an exception, and a dangerous one.

There is no practical workaround. Epoll is a fundamental part of the Linux kernel, baked into how applications handle I/O events. You cannot simply disable it to protect an unpatched system. The only reliable defense is to update the kernel to a version that includes the fix, which was merged into the mainline Linux kernel in late April.

Chung’s advice is straightforward: keep up with your distribution’s kernel security updates. For desktop and server users, that means applying the latest kernel patches as soon as they’re available. For Android users, it means waiting for the monthly security update from Google and installing it promptly when it arrives.