A newly disclosed Linux kernel flaw called Bad Epoll (CVE-2026-46242) lets any ordinary user on a machine escalate to full root, and it affects Linux servers, desktops, and Android devices running kernel 6.4 or newer. It was published on July 3, 2026 after researcher Jaeyoung Chung submitted a working exploit to Google's kernelCTF program. A fix is already in the mainline kernel, but most distributions still need to ship a backport, so the practical job right now is to check your kernel version and apply your distro's security update the moment it lands.
There is one piece of good news up front: as of this writing the bug is not on CISA's Known Exploited Vulnerabilities catalog, and the only working exploit is the proof of concept from the contest. That gives you a window to patch before it shows up in real attack chains.
What is Bad Epoll and why does it give root?
Bad Epoll is a race-condition use-after-free in the kernel's epoll subsystem, the mechanism Linux uses to watch large numbers of files and network sockets at once. Two parts of the kernel try to clean up the same internal object at the same time: one thread frees the memory while another is still writing into it. That overlap lets an attacker corrupt kernel memory in a controlled way and rewrite their own process credentials until the kernel treats them as root.
What makes the flaw notable is how narrow the opening is. The exploitable race window is about six machine instructions wide, a sliver of time so small it is hard to hit even when you can read the vulnerable code. That difficulty is why nobody spotted it for over two years, and also why a reliable exploit is impressive enough to earn a kernelCTF payout. It does not make you safe, though: once someone writes the exploit, the six-instruction window stops being your protection.
Which kernel versions are affected?
The bug was introduced by an epoll code change in 2023 and shipped in Linux 6.4. Anything on 6.4 through the current line without the fix is exposed; older kernels built on the 6.1 series never had the offending code and are not affected. The fix is mainline commit a6dc643c6931, landed in April 2026, and each distribution backports it on its own schedule.
| Kernel line | Affected? | What to do |
|---|---|---|
| 6.1 LTS and older | No | Bug predates these; no action for this CVE |
| 6.4 – current (unpatched) | Yes | Update to your distro's patched build, then reboot |
Any build with commit a6dc643c6931 | No | Already fixed; confirm and move on |
| Android on 6.4+ kernels | Yes | Wait for the device/vendor security update |
Note that Android is in scope where the device ships a 6.4-or-newer kernel; hardware still on 6.1, such as some existing phones, is not affected. On servers, the risk follows the kernel, not the distro name, so a "stable" LTS distro can still be running an affected 6.x kernel.
How to check and patch your own servers
Start by reading the running kernel version, then compare it against your distribution's advisory. On any Linux box:
uname -r # e.g. 6.8.0-40-generic — 6.4+ means check for the patch
apt list --upgradable 2>/dev/null | grep -i linux # Debian/Ubuntu
dnf updateinfo list security | grep -i kernel # Fedora/RHEL family
Then apply the security update and reboot into the new kernel. A patched kernel package does nothing until you actually reboot onto it, which is the step people skip. If you cannot take downtime immediately, a live-patching service (kernel livepatch on Ubuntu, kpatch on RHEL) can close the hole without a reboot on supported kernels, buying time until a maintenance window. Watch your distro's security channel — Ubuntu USNs, the Debian security tracker, or your vendor's advisory feed — for the CVE-2026-46242 entry, since the mainline fix and the packaged backport arrive on different days.
Why a "local only" bug still matters for a single VPS
It is tempting to shrug at a local privilege-escalation bug: an attacker needs to already be on the machine, so if nobody has a shell, there is nothing to escalate. That reasoning breaks down in practice. Local root is the second stage of most real intrusions. A web app with a remote-code-execution bug, a leaked deploy key, a poisoned dependency, or a compromised container all get an attacker some code execution as an unprivileged user. Bad Epoll is what turns that foothold into full control of the host, including every other app and database on the same box.
That is exactly the shape of risk on a self-managed VPS, where your app, your database, and your control plane usually share one kernel. If you run your own server, this bug belongs in the same hardening checklist as SSH keys and a firewall — the basics we walk through in our guide to self-hosting apps on a VPS. It is also a reminder that perimeter defenses are not enough on their own; layered controls like the zero-trust model assume a breach will happen and limit what a single compromised account can reach.
Is Bad Epoll being exploited in the wild?
Not yet. There is no sign of real-world use, the vulnerability is absent from CISA's KEV list, and the only public exploit is the kernelCTF submission. But "no exploitation yet" is a schedule, not a verdict. Public kernel LPEs are routinely weaponized once researchers or attackers rebuild the technique, and the details are now out in the open. The safe assumption is that a working exploit will circulate, so treat the patch as time-sensitive rather than optional. This pattern — a fast-moving flaw that defenders have to race — is becoming the norm as attackers automate more of the work, a trend we covered in AI agent security and the prompt-injection crisis.
FAQ
Do I need to reboot after patching Bad Epoll? Yes, unless you use live kernel patching. Installing the updated kernel package stages the fix, but the vulnerable code keeps running until you boot into the new kernel. Livepatch (Ubuntu) or kpatch (RHEL) can apply the fix to a running kernel on supported versions if you cannot reboot right away.
Is my server affected if it runs an LTS distribution?
Possibly. What matters is the kernel version, not the distro's marketing. An LTS release can still ship a 6.4-or-newer kernel, which is the affected range. Run uname -r and check your distro's advisory for CVE-2026-46242.
Are Android phones at risk? Only those on a 6.4-or-newer kernel. Devices still on 6.1-based kernels, including some current phones, are not affected. Where a device is in range, wait for and install the vendor's security update.
How serious is this compared with a remote exploit? On its own, a local flaw needs an attacker to already have a foothold, so it rates below a remote code-execution bug. In practice it is the standard next step after an initial breach, which is why local root bugs are prized and why patching promptly still matters.
Sources
- The Hacker News — New "Bad Epoll" Linux Kernel Flaw Lets Unprivileged Users Gain Root: primary reporting on CVE-2026-46242, the epoll use-after-free root cause, the ~six-instruction race window, affected 6.4+ kernels, fix commit
a6dc643c6931, discovery by Jaeyoung Chung via Google kernelCTF, and no in-the-wild use. - CISA Known Exploited Vulnerabilities Catalog: reference for confirming whether CVE-2026-46242 has been added as an actively exploited vulnerability.
- bad-epoll proof-of-concept repository: the public kernelCTF exploit code demonstrating the privilege escalation.
Some links may earn us a commission at no extra cost to you.
Waqas Ahmed Waseer
Waqas Ahmed Waseer is a developer and automation builder with 8+ years shipping production systems used by 100k+ people. He builds custom multi-tenant SaaS, AI automation (n8n, LLM workflows, WhatsApp bots) and hosting infrastructure (WHM/cPanel, CloudLinux) — and is the maker of WaSphere, FlowMaticX, and the WaseerHost hosting brand. 100+ projects delivered for SMBs, agencies and funded startups.



