A newly disclosed Linux kernel vulnerability called Bad Epoll lets an ordinary user with no special privileges take full control of a machine as root, and it affects Linux desktops, servers, and Android. Tracked as CVE-2026-46242, the flaw is a use-after-free in epoll, a core Linux feature for watching many files or connections at once that programs and browsers rely on and cannot simply turn off. Two parts of the kernel try to free the same object at once, letting an attacker corrupt kernel memory and climb to root. It is a race-condition bug, harder to exploit than recent deterministic Linux flaws, but a working exploit exists and a fix is available.
Researchers at LucidBit Labs detailed an eight-year-old use-after-free flaw in the kernel of Samsung's KNOX security framework that affected a huge range of Galaxy devices, from the Galaxy S9 to the S25, across A-series and both Exynos and Qualcomm models. The bug (CVE-2026-20971) sits in a race between two KNOX components that verify process integrity, and a malicious app could exploit it to corrupt kernel memory and potentially take full control of the device. Samsung quietly fixed it in its January 2026 security update. Exploitation requires local access and some user interaction, but a lost, borrowed, or stolen phone makes that realistic.
Team Xint Code has disclosed CVE-2026-23479, a use-after-free remote code execution flaw in Redis that sat unnoticed in every stable branch from 7.2.0 until the May 5 fixes - over two years. The bug lives in unblockClientOnKey(), which keeps using a client pointer after processCommandAndResetClient() can free it. Exploitation needs an authenticated session, but Wiz's analysis finds Redis in most cloud environments with the majority running passwordless, where the default user already holds every privilege the exploit chain requires. The published exploit leaks a heap pointer via Lua, reclaims a freed client with a fake structure, and overwrites a GOT entry to repoint strcasecmp() at system(). NVD rates it 8.8.
Exim, the open-source mail transfer agent that ships as default on Debian and powers a large slice of internet mail, has a critical use-after-free in how it parses message bodies sent with the BDAT chunking extension over TLS. The flaw, CVE-2026-45185 (CVSS 9.8) and nicknamed Dead.Letter by discoverer XBOW, triggers when a TLS connection closes via close_notify mid-BDAT and Exim then processes one more cleartext byte. That byte gets written into already-freed memory, corrupting the heap, and XBOW turned it into an unauthenticated RCE primitive. Only Exim builds compiled with USE_GNUTLS=yes are affected; OpenSSL builds are not.