Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: linux-kernel (2 articles)Clear

Bad Epoll Linux kernel flaw lets any local user gain root, including on Android

A newly disclosed Linux kernel vulnerability called Bad Epoll lets an ordinary user with no special privileges take full control of a machine as root, and it affects Linux desktops, servers, and Android. Tracked as CVE-2026-46242, the flaw is a use-after-free in epoll, a core Linux feature for watching many files or connections at once that programs and browsers rely on and cannot simply turn off. Two parts of the kernel try to free the same object at once, letting an attacker corrupt kernel memory and climb to root. It is a race-condition bug, harder to exploit than recent deterministic Linux flaws, but a working exploit exists and a fix is available.

Check
Identify Linux servers, workstations, and Android devices in your environment and check their kernel versions against the Bad Epoll fix, prioritizing multi-user systems and anything where untrusted users can run code.
Affected
Linux desktops, servers, and Android devices on kernels without the Bad Epoll fix (CVE-2026-46242); any local user, or code already running with low privileges, can exploit the flaw to gain root.
Fix
Apply the kernel updates that fix Bad Epoll as they reach your distributions and Android devices; there is no workaround, since epoll cannot be disabled, so patching is the only real mitigation.

Brand-new Linux 'Dirty Frag' bug lets any local user become root on every major distribution - PoC exploit is public, no patches yet

Researcher Hyunwoo Kim disclosed Dirty Frag yesterday after an unrelated third party broke the embargo five days early. The flaw chains two Linux kernel page-cache write bugs (xfrm-ESP and RxRPC) to give any local user root access on every major distribution - Ubuntu, RHEL, CentOS Stream, AlmaLinux, openSUSE Tumbleweed, Fedora. Like Dirty Pipe and last week's Copy Fail, it's a deterministic logic bug with no race condition required and no kernel panic on failure. PoC is public on GitHub. The ESP variant patch was merged into the netdev tree on May 7 but distribution kernels remain unpatched. No CVE assigned yet because the embargo broke early.

Check
Inventory Linux servers, container hosts, CI runners, and Kubernetes nodes that allow shell access or run untrusted code. Check whether esp4, esp6, and rxrpc kernel modules are loaded with 'lsmod | grep -E "esp4|esp6|rxrpc"'.
Affected
Every Linux distribution with kernel 4.10+ (ESP variant) and 5.x+ (RxRPC variant). All major distros confirmed: Ubuntu, RHEL, CentOS Stream, AlmaLinux, openSUSE Tumbleweed, Fedora. Acute risk: shared-kernel multi-tenant environments (Kubernetes nodes, container hosts), CI/CD runners executing untrusted PR code. Firecracker microVMs and gVisor are not affected.
Fix
Blacklist vulnerable modules: 'sh -c "printf \'install esp4 /bin/false\\ninstall esp6 /bin/false\\ninstall rxrpc /bin/false\\n\' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"'. This breaks IPsec VPNs and AFS filesystems but stops the exploit. Apply distribution kernel patches as soon as they ship - AlmaLinux has early test patches. Treat container boundaries as broken until patched.