CriticalBad Epoll 0-Day Grants Root Access on Linux and Android Devices

0
5

Key Takeaways:

  • CVE‑2026-46242 (“Bad Epoll”) is a use‑after‑free race condition in the Linux kernel’s epoll subsystem that lets an unprivileged local user gain root privileges.
  • The flaw resides in ep_remove(), where clearing file->f_ep under file->f_lock is followed by unsafe use of the same file object during hlist_del_rcu() and spin_unlock().
  • A concurrent __fput() can observe a transient NULL pointer, skip eventpoll_release_file(), and directly invoke f_op->release, freeing a still‑in‑use struct eventpoll.
  • Because struct file is SLAB_TYPESAFE_BY_RCU, the freed slot may be reclaimed by alloc_empty_file(), enabling a cross‑cache kmem_cache_free() attack that corrupts kernel memory.
  • Discovered by researcher Jaeyoung Chung and submitted as a zero‑day to Google’s kernelCTF program (reward ≥ $71,337), the exploit works on Linux servers, desktops, and Android devices, and can be reached from Chrome’s renderer sandbox.
  • Despite a race window of only about six instructions, Chung’s exploit widens the window and retries, achieving ~99 % reliability on tested targets.
  • The vulnerability follows a earlier AI‑found race (CVE‑2026-43074) and was missed by the same AI model due to its narrow timing and low KASAN visibility.
  • A correct upstream patch was released nearly two months after disclosure; no workaround exists because epoll cannot be disabled without breaking core OS and browser functionality.

Overview of Bad Epoll
Bad Epoll (CVE‑2026-46242) is a newly disclosed privilege‑escalation flaw in the Linux kernel’s epoll interface, a core component used for efficient I/O event multiplexing. The vulnerability is classified as a use‑after‑free (UAF) triggered by a race condition within the ep_remove() function. An attacker with only local, unprivileged access can manipulate file descriptors tied to epoll instances to cause the kernel to free a struct eventpoll object while it is still referenced, leading to arbitrary kernel memory corruption and ultimately root access. The bug affects all major Linux distributions, Android kernels, and even environments where Chrome’s renderer sandbox is present, making it a high‑impact threat across servers, desktops, and mobile devices.

Technical Details of the UAF and Race Condition
The root cause lies in ep_remove(), which performs the following steps under the protection of file->f_lock: it clears file->f_ep (the back‑pointer from a struct file to its associated struct eventpoll), then proceeds to call hlist_del_rcu() to remove the file from the epoll’s ready‑list, and finally releases the lock with spin_unlock(). If another thread concurrently invokes __fput() on the same struct file, it may observe the temporarily cleared file->f_ep as NULL, incorrectly concluding that the file is no longer associated with an epoll instance. Consequently, __fput() skips the proper cleanup routine eventpoll_release_file() and jumps straight to the file’s f_op->release operation, which frees the struct eventpoll while it is still linked in epoll’s internal data structures. Because struct file is marked SLAB_TYPESAFE_BY_RCU, the freed memory can be reclaimed by alloc_empty_file(), allowing the attacker to trigger a kmem_cache_free() against an incorrect slab cache and corrupt kernel state.

Exploitation Mechanics and Reliability
Chung’s exploit transforms this narrow race into a reliable primitive by widening the effective window through repeated attempts and careful synchronization. The race itself spans only about six CPU instructions, but the exploit employs a tight loop that repeatedly opens and closes epoll file descriptors while holding locks in a way that increases the probability of observing the inconsistent state. On test systems, the attack succeeds roughly 99 % of the time without crashing the kernel, a remarkable reliability rate for a UAF‑based privilege escalation. Once the race wins, the attacker gains control over a freed struct eventpoll object, which can be manipulated to forge arbitrary kernel memory reads and writes.

Connection to Prior CVE and AI Discovery
Bad Epoll is not the first race condition uncovered in the epoll subsystem; a previous flaw, CVE‑2026-43074, was identified by Anthropic’s AI model Mythos, showcasing the growing capability of machine‑learning‑driven static analysis to detect kernel concurrency bugs. Mythos, however, missed Bad Epoll because the vulnerability’s timing window is exceptionally narrow and it rarely triggers KASAN, the kernel’s primary memory‑error detector, leaving little runtime evidence for the AI to latch onto. The initial patch attempt by maintainers only partially addressed the issue, and a definitive fix was not merged until nearly two months after public disclosure, underscoring the difficulty of diagnosing and repairing such subtle races.

Attack Surface: Android and Chrome Sandbox
Unlike many privilege‑escalation bugs that rely on loadable kernel modules, Bad Epoll targets the epoll subsystem, which is a non‑optional, core part of the Linux kernel. Consequently, the vulnerability cannot be mitigated by simply disabling a module; it affects any system running a vulnerable kernel, including Android devices where epoll is integral to the Binder IPC framework and numerous native services. Furthermore, because epoll file descriptors are accessible from within Chrome’s renderer sandbox, an attacker who first achieves a renderer exploit can chain it with Bad Poll to escape the sandbox and obtain full kernel code execution, dramatically increasing the exploit’s relevance in browser‑based attack chains.

Exploit Construction: Four epoll Objects and Cross‑Cache Attack
The exploit strategy uses four epoll file descriptors arranged into two pairs. Closing one pair triggers the race condition, while the other pair serves as a “victim” object whose associated struct eventpoll remains active. This arrangement converts the initial 8‑byte UAF write into a UAF on a file object via a cross‑cache attack: the freed eventpoll memory is reallocated by alloc_empty_file() as a fresh struct file, allowing the attacker to manipulate kernel slab caches and eventually gain arbitrary read/write primitives. Leveraging /proc/self/fdinfo, the attacker can leak kernel pointers, and with a carefully crafted return‑oriented programming (ROP) chain built from gadgets in the kernel binary, they hijack control flow to spawn a root shell.

Mitigation and Patch Status
Because epoll cannot be disabled without breaking essential OS functionality and browser features, there is no practical workaround; administrators must apply the upstream patch that correctly synchronizes the clearing of file->f_ep with the subsequent use of the file object, ensuring that any concurrent __fput() observes a valid back‑pointer or properly defers cleanup. The fix was merged into the mainline Linux kernel nearly two months after the initial disclosure, and major distributions have begun backporting it to their stable branches. Systems running kernels prior to the patched version should be updated immediately, and environments that cannot be patched promptly should consider additional mitigations such as restricting local user access, employing SELinux/AppArmor profiles to limit epoll usage, and monitoring for abnormal epoll‑related syscall patterns.

Conclusion and Recommendations
Bad Epoll exemplifies how a subtle race condition in a widely used kernel interface can lead to severe privilege escalation across diverse platforms, from Linux servers to Android smartphones and even sandboxed browser contexts. Its discovery highlights both the promise and limits of AI‑assisted bug finding, as well as the necessity of rigorous manual auditing for concurrency‑sensitive code. Organizations should prioritize kernel updates, enforce the principle of least privilege for local accounts, and consider deploying runtime integrity monitors that can detect anomalous slab‑cache behavior or unexpected /proc/self/fdinfo accesses. By staying current with patches and maintaining vigilant local‑access controls, the risk posed by Bad Epoll—and similar future epoll‑related vulnerabilities—can be substantially mitigated.

SignUpSignUp form

LEAVE A REPLY

Please enter your comment!
Please enter your name here