Skip to main content
LiMP VPN
All news

Bad Epoll: Linux Kernel Flaw Gives Root on Android

Bad Epoll: Linux Kernel Flaw Gives Root on Android

In short: On 6 July 2026, a researcher disclosed Bad Epoll (CVE-2026-46242), a flaw in the Linux kernel that lets an ordinary unprivileged program gain full root control. It affects servers, PCs and Android phones on vulnerable kernel versions. There is no known exploitation in the wild yet, but a proof-of-concept is already public. The main defense is to update your system.

What happened

On 6 July 2026, researcher Jaeyoung Chung disclosed a vulnerability in the epoll subsystem of the Linux kernel, named Bad Epoll and tracked as CVE-2026-46242. It is a race-condition use-after-free bug: two kernel threads free the same internal memory object almost simultaneously, and then one keeps using it. In that brief window, memory can be corrupted to escalate privileges to root — full control of the device.

Kernels based on the 6.4 branch and newer are affected; older LTS kernels such as 6.1 are not. Because Linux runs not only servers and PCs but also Android smartphones, the issue reaches mobile devices too. We explain how network privacy works and why updates matter on our blog.

Is this dangerous for my phone?

One key limitation matters: Bad Epoll is a local vulnerability, not a remote one. To use it, an attacker must already run code on your device — for example, through a malicious or compromised app. The bug alone cannot hack your phone "over the air" via Wi-Fi or the internet.

That is exactly why it is dangerous in combination: a harmless-looking app that normally runs in a restricted sandbox can use Bad Epoll to break out and gain root. And root means access to everything — passwords, messages, banking apps, camera and microphone. Researchers say the proof-of-concept succeeds in roughly 99% of attempts on vulnerable systems, though a working Android exploit is still in development.

Why a human found the bug the AI missed

There is a notable twist. Bad Epoll sits in the same stretch of kernel code where Anthropic's Mythos AI model earlier found a similar flaw (CVE-2026-43074). The AI caught the neighboring bug but missed this one; a human found it later by hand. It neatly illustrates both the promise and the current limits of automated vulnerability research: AI speeds up code audits but does not yet replace experts.

What it means for your data

There are no confirmed real-world attacks yet — only a proof-of-concept is available. But publishing demo code usually accelerates working exploits, so the "update before it is too late" window is limited. The highest risk is for people who install apps from unofficial sources: such an app is exactly the foothold an attack launches from.

The lesson is the same as in other recent incidents: the threat increasingly starts not on the service side but on your device. We covered the same logic in our report on a botnet of hijacked home devices.

How to protect yourself

Update your system and apps. The patch is already upstream in the kernel, and phone makers ship it in security updates. There is no practical workaround without patching — epoll is too deeply built into the system. Install Android and app updates as soon as they arrive.

Install apps only from official stores. Since the attack starts with foreign code on the device, avoiding shady APKs and "cracked" apps closes the most common entry point.

Review app permissions. The less redundant software with broad rights you keep, the lower the chance one of them becomes that foothold.

Cover the network half of privacy. To be honest: a VPN will not fix a kernel vulnerability or replace an update — these are different layers of defense. But a VPN — such as LiMP VPN — encrypts your traffic on untrusted networks and hides your real IP, reducing tracking and the chance that a malicious app or link reaches you at all. See how we do it on the features page.

Sources

This report is based on coverage by Security Affairs, The Hacker News and Anti-Malware.ru from July 2026.

Bad Epoll: Linux Kernel Flaw Gives Root on Android | LiMP VPN