Exploit against the kernel of Linux and Android showed a record success of the performance at the level of 99 percent

Depov

Moderator
Staff member
MODERATOR
ULTIMATE
SUPREME
PREMIUM
MEMBER
Joined
Feb 18, 2025
Messages
167
Reaction score
166
Deposit
0$
In the Linux kernel, a vulnerability has been found that turns an ordinary user into a root and can hurt not only servers and workstations, but also Android devices. The problem was named Bad Epoll and CVE-2026-46242. Researcher Jayön Jiang found an error in the subsystem epoll, assembled a working exploit and sent a vulnerability to the Google kernelCTF program as zero-day.

Epoll helps programs monitor multiple files, sockets and network connections at once. This mechanism is used by servers, network services, browsers and other basic components of Linux systems. It is impossible to disable epoll without breaking important functions, so there is no simple workaround for administrators. The only reliable protection option is to install the correction of the kernel or backup from the distribution.

Bad Epoll belongs to the class of use-after-free and occurs due to the race in the ep_remove code. In a simplified form, two parts of the kernel simultaneously clean the same internal object. One part frees up memory, and the other still continues to work with the liberated area. Such a short collision allows the attacker to damage the nucleus’s memory, get a reading of arbitrary memory areas and then intercept control over the ROP chain to open the root sheath.

The reliability of the attack adds to a particular danger. The race window takes about six instructions, so a random hit is almost impossible, but the Chon exploit expands the desired moment and repeats attempts without falling the core. For test goals, kernelCTF researcher received about 99% of successful launches for LTS kernel and 98% for Google CSS. The Android exploit is still in operation, but the researcher himself indicates that the devices on the kernels 6.6 and the newest can be suitable for further attack, while the Pixel 8 and other devices on the 6.1 core are not affected.

The history of Bad Epul is highlighted by another detail. The same area of the code has already come to the attention of the Anthropic Mythos model, which found a nearby race with the number CVE-2026-43074. According to Chung, the model missed Bad Epoll, probably because of too narrow time window and weak traces of error during execution. After fixing the first vulnerability, the Bad Epoll error usually did not work in KASAN, the main memory error detector in the Linux kernel, so the rent term did not give a bright signal about the problem.

The vulgar code hit the kernel on April 8, 2023, along with the comet 58c9b016e128, and the correct correction appeared on April 24, 2026 in the commit a6dc643c6931. Distributions and devices with Linux 6.4 kernels and newer are under threat if the vendor has not yet moved the correction to its branch. Administrators should check the updates of a particular distribution, because the status of packages varies even within the same ecosystem. For example, the Debian tracker marks one branch as corrected or unaffected, and for others specifies the remaining risk.
 
Top Bottom