A newly discovered Linux kernel vulnerability called "Bad Epoll" (CVE-2026-46242) lets unprivileged local users gain full root access on Linux servers, desktops, and Android devices. The flaw exploits a race condition and use-after-free bug in the kernel's epoll subsystem — a core component that can't be disabled without breaking the OS.
Researcher Jaeyoung Chung found and exploited the bug, submitting it to Google's kernelCTF program, which pays $71,337+ for working kernel exploits. The exploit achieves roughly 99% reliability and can even be chained with a Chrome renderer exploit for full kernel code execution. No workaround exists — patching is the only fix.
Source: Cybersecurity News