
‘Bad Epoll’ Linux 0‑Day Puts Servers and Android Devices One Bug Away From Root
Researchers disclosed a “Bad Epoll” 0‑day in the Linux kernel, CVE‑2026‑46242, that lets an unprivileged local user reliably escalate to root with a use‑after‑free bug in the epoll subsystem. With the flaw reachable from Chrome’s renderer sandbox, millions of Linux servers and Android devices are only a browser compromise away from full system takeover.
A critical vulnerability in the heart of the Linux kernel is forcing security teams to reassess how much protection sandboxing really provides. Dubbed “Bad Epoll,” the newly disclosed 0‑day, tracked as CVE‑2026‑46242, allows an unprivileged local user to gain root privileges on affected systems by exploiting a race condition in the kernel’s epoll subsystem.
Researchers who analyzed the bug describe it as a use‑after‑free condition triggered by carefully orchestrated interactions with epoll, the I/O notification mechanism used widely by modern Linux applications and services. By manipulating how file descriptors are registered and deregistered under heavy concurrency, an attacker can cause the kernel to operate on freed memory, ultimately hijacking execution and escalating their privileges.
In practical terms, the exploit they developed achieved around 99% reliability in testing — an unusually high success rate for a kernel‑level attack. Because epoll is exposed to user space and heavily used in servers, desktops and mobile devices, the vulnerability has a very broad reach. Linux distributions that ship kernels with the affected code path enabled are at risk, as are Android devices built on top of those kernels.
The most worrying detail for many defenders is that Bad Epoll is reachable from within the Chrome renderer sandbox. That means an attacker who can first exploit a browser bug to execute arbitrary code inside the sandbox can then chain the epoll vulnerability to break out and seize full control of the underlying operating system. For users, the path from visiting a malicious website to having their entire machine compromised shrinks to a single, chained exploit.
On servers, the stakes are higher still. Many high‑performance web stacks, reverse proxies, load balancers and real‑time applications rely on epoll for efficient event handling. Shared hosting environments, container platforms and multi‑tenant systems often assume that compromising a single unprivileged process does not automatically translate into a full system takeover. Bad Epoll undermines that assumption: any foothold on an affected server — via a web application flaw, a misconfigured service, or a stolen low‑privilege account — can become a stepping stone to root.
On Android, the attack surface looks different but is no less serious. Although installing arbitrary native binaries is harder on consumer phones, the same fundamental kernel weakness exists under the hood. A successful application‑level exploit or a compromise of a browser or rendering engine on the device could leverage Bad Epoll to gain system‑level control, bypassing many of the protections Google and device manufacturers have layered above the kernel.
For governments, cloud providers and enterprises that rely on Linux for critical infrastructure, the discovery reinforces a hard lesson: kernel 0‑days collapse defense‑in‑depth. Sandboxes, container boundaries and user‑space privilege separation all assume that the kernel enforces the final line between code and full control. When a bug like Bad Epoll offers almost guaranteed root access from a local context, those assumptions must be revisited until patches are widely deployed.
The memorable truth here is that you can harden every application and still lose the system if one widely used kernel subsystem has a hole. Every browser tab, microservice and container ultimately leans on the same underlying epoll implementation.
Key signals to watch in the coming days include how quickly major Linux distributions and Android vendors ship patched kernels, whether exploit code becomes publicly available beyond research circles, and if threat intelligence teams start to see Bad Epoll chained with browser or application exploits in the wild. Until then, operators of sensitive systems may need to treat any local compromise as equivalent to a potential full system breach.
Sources
- OSINT