A newly disclosed Linux kernel flaw dubbed “Unhealthy Epoll” (CVE-2026-46242) permits an unprivileged native consumer to escalate to root on Linux servers, desktops, and Android gadgets by exploiting a race situation and a use-after-free (UAF) within the kernel’s epoll subsystem.
Unhealthy Epoll is a UAF vulnerability in ep_remove(), which clears file->f_ep beneath file->f_lock however continues utilizing the file object contained in the crucial part throughout hlist_del_rcu() and spin_unlock().
A concurrent __fput() name can observe a transient NULL worth, skip eventpoll_release_file(), and proceed straight to f_op->launch, liberating a watched struct eventpoll that’s nonetheless in use, corrupting kernel reminiscence. As a result of struct file is SLAB_TYPESAFE_BY_RCU, the freed slot may also be recycled by alloc_empty_file(), letting an attacker set off a kmem_cache_free() in opposition to the incorrect slab cache.
The bug was found and exploited by researcher Jaeyoung Chung, who submitted it as a zero-day to Google’s kernelCTF program, which pays out $71,337 or extra for working Linux kernel exploits.
In contrast to most Linux privilege-escalation bugs, Unhealthy Epoll can root Android as a result of epoll is a core kernel part that can not be disabled or unloaded, in contrast to optionally available modules exploited by bugs similar to Copy Fail.

Unhealthy Epoll Vulnerability Permits Root Entry
Additionally it is reachable from inside Chrome’s renderer sandbox, elevating the potential of chaining a renderer exploit with Unhealthy Epoll for full kernel code execution. Regardless of a race window solely about six directions large, Chung’s exploit widens the window and retries with out crashing the kernel, reaching roughly 99% reliability on examined targets.

A single 2023 kernel commit launched two separate race situations into the identical 2,500-line epoll code path. The primary, CVE-2026-43074, was found by Anthropic’s AI mannequin Mythos, demonstrating frontier AI’s rising functionality to seek out kernel race bugs.
Unhealthy Epoll was the second, harder-to-spot flaw that Mythos missed, probably due to its slim timing window and the truth that it not often triggers KASAN, the kernel’s major memory-error detector, leaving little runtime proof behind. The maintainers’ first patch try didn’t totally resolve the difficulty, and an accurate repair landed almost two months after preliminary disclosure.
The exploit makes use of 4 epoll objects grouped into two pairs; closing one pair triggers the race whereas the opposite turns into the sufferer object, turning an 8-byte UAF write right into a UAF on a file object by way of a cross-cache assault.
From there, the attacker positive factors arbitrary kernel reminiscence learn entry by /proc/self/fdinfo and hijacks management movement with a return-oriented programming (ROP) chain to acquire a root shell.
As a result of epoll can’t be disabled with out breaking core OS and browser performance, there isn’t a workaround; directors should apply the upstream patch or await a distribution backport.
Strengthen Your SOC by Accelerating Risk Detection & Speedy Investigations. -> Integrate ANY.RUN With Your SOC Now.








