News
MARKET SIGNAL:

Bad Epoll Linux Flaw Reaches Android Without A Public Patch Timetable

Newsroom brief

A newly disclosed Linux kernel flaw tracked as CVE-2026-46242 can let an unprivileged local user gain root access on Linux systems and may be reachable from Android or Chrome sandbox contexts, but public material did not give a distribution-by-distribution patch timetable.

Verified against source materialEdited by SendTech Times Cybersecurity Desk
Bad Epoll Linux Flaw Reaches Android Without A Public Patch Timetable
Image source: The Hacker News

CVE-2026-46242 Gives Local Users A Root Path

A newly disclosed Linux kernel vulnerability called Bad Epoll gives an ordinary local user a path to root privileges on affected Linux systems, according to public technical details in the disclosure.

The disclosure tracks the flaw as CVE-2026-46242 and says it affects Linux desktops, servers and Android.

It also says a fix is available, but the public write-up does not provide a distribution-by-distribution patch timetable.

The bug sits in epoll, a standard Linux mechanism used by programs that need to watch many files or network connections at the same time.

Servers, network services and browsers rely on epoll, which means administrators cannot treat the feature as an optional component that can simply be disabled.

Researcher Reports A 99% Exploit Rate On Tested Systems

The public account names security researcher Jaeyoung Chung as the person who found Bad Epoll and built a working exploit.

Chung described the bug as a use-after-free condition in which two cleanup paths handle the same internal kernel object at the same time.

The disclosure says one path can free memory while another path is still writing to it.

That collision can corrupt kernel memory and allow an attacker who already has ordinary user access to climb to root.

Chung reported that the timing window is narrow, at about six machine instructions, but said the exploit widens the race condition and retries safely.

The public account says the exploit reached root about 99% of the time on tested systems.

Chrome Sandbox And Android Claims Raise Exposure

The Chrome and Android claims make the disclosure broader than a conventional local Linux privilege-escalation report.

The public account says Chung reported that the flaw can be triggered from inside Chrome's renderer sandbox, a boundary intended to block many other kernel attacks.

The same account says the vulnerability can reach Android, which is notable because many Linux privilege bugs do not translate directly to Android devices.

The public details do not name affected Android device makers, handset models or carrier patch schedules.

The disclosure also says Bad Epoll appears in the same small area of kernel code where Anthropic's Mythos model recently found a different bug.

That detail does not make the vulnerability an AI-generated discovery.

The public account says Chung found this flaw and that Mythos missed it.

Kernel Fix Exists, But Rollout Details Are Unnamed

The disclosure says Chung submitted the flaw as a zero-day to Google's kernelCTF programme and that Linux maintainers merged a fix.

It also says Google accepted the report as valid and tracked the issue through Android's vulnerability rewards process.

Enterprise Linux teams face patch exposure rather than a new network-facing attack path.

Bad Epoll requires a way to run code locally or inside a relevant sandboxed context, but root access would allow a successful attacker to bypass normal user-level limits.

The public material did not disclose affected distribution versions, named Android vendors, device-level patch dates, observed exploitation, or a complete rollout timetable for Linux and Android fixes.

Share this article
inXf

Related articles

More
CISA Android and Linux Warnings Put Patch Timing Back on the Security Agenda
Cybersecurity

CISA Android and Linux Warnings Put Patch Timing Back on the Security Agenda

CISA added exploited Android and Linux vulnerabilities to its Known Exploited Vulnerabilities catalog. The Android flaw affects Android 14 through 16, while the Linux issue centers on older kernel branches and cgroups v1 container environments. The immediate test is whether agencies and infrastructure operators apply vendor updates or mitigations by CISA's June 5 deadline.

Cisco Unified CM Flaw Puts WebDialer Exposure Under Patch Pressure
Cybersecurity

Cisco Unified CM Flaw Puts WebDialer Exposure Under Patch Pressure

Cisco disclosed fixed-release guidance for a critical Unified Communications Manager flaw that can let attackers gain root privileges when WebDialer is enabled. Cisco PSIRT is aware of public proof-of-concept exploit code for CVE-2026-20230, though it has not found active exploitation or targeting. The immediate test is whether administrators patch Unified CM or disable WebDialer before proof-of-concept code turns into wider exposure.

Check Point VPN Exploitation Puts Legacy IKEv1 Access In The Ransomware Spotlight
Cybersecurity

Check Point VPN Exploitation Puts Legacy IKEv1 Access In The Ransomware Spotlight

A critical Check Point VPN flaw, CVE-2026-50751, is being exploited against legacy IKEv1 remote-access configurations, with activity tied in one case to a Qilin ransomware affiliate and a second related VPN issue also disclosed.

CISA WebLogic Warning Turns Oracle Patch Lag Into an Exposure Test
Cybersecurity

CISA WebLogic Warning Turns Oracle Patch Lag Into an Exposure Test

CISA ordered U.S. federal agencies to patch Oracle WebLogic Server systems affected by CVE-2024-21182 after active exploitation was observed. Shodan tracks more than 1,592 exposed WebLogic servers vulnerable to the flaw, including 961 on version 12.2.1.4.0 and 631 on version 14.1.1.0.0. The immediate test is whether public- and private-sector defenders apply Oracle fixes or remove exposed systems where mitigations are unavailable.

Keep Reading

More Stories

Latest
UAE Housing Programme Adds e& Smart-Home Offers Without Adoption TimetableEconomyJul 4, 2026UAE Housing Programme Adds e& Smart-Home Offers Without Adoption TimetableThe Sheikh Zayed Housing Programme and e& signed an agreement covering home internet, smart-home automation, connected devices and Hassantuk fire detection for beneficiaries and ministry staff, but the announcement did not disclose prices, rollout dates or adoption targets.ZEN.COM Adds Mastercard Click To Pay Across 33 Markets Without Merchant NamesFintech & Digital PaymentsJul 4, 2026ZEN.COM Adds Mastercard Click To Pay Across 33 Markets Without Merchant NamesZEN.COM says Mastercard Click to Pay is now available to 1.5 million consumers across 33 markets, including the European Economic Area, the United Kingdom and Singapore, but it did not name participating merchants or transaction volumes.Meta Pocket App Tests Prompt-Built Games In Social FeedsAIJul 4, 2026Meta Pocket App Tests Prompt-Built Games In Social FeedsMeta has launched Pocket, an AI platform for making and sharing prompt-built mini games and interactive apps, according to AI Times Korea. The limited app-store rollout uses technology from the acquired Gizmo team, but Meta has not named a global launch timetable or creator monetisation terms.Kospi Drops 7.89 Percent As Samsung And SK hynix Lead Chip Sell-OffChips & SemiconductorsJul 4, 2026Kospi Drops 7.89 Percent As Samsung And SK hynix Lead Chip Sell-OffThe Korea Herald reported that the Kospi fell 7.89 percent on Thursday as Samsung Electronics and SK hynix came under selling pressure from renewed AI-capacity and chip-competition concerns. The article cited a sell-side sidecar, heavy foreign and institutional selling and 48.86 trillion won in trading value, but did not report confirmed order cuts, revised chipmaker forecasts or measured AI capacity utilisation.India Orders Battery App Removals After E-Rickshaw Shutdown ReportsCapital & PolicyJul 4, 2026India Orders Battery App Removals After E-Rickshaw Shutdown ReportsIndia’s electronics ministry ordered app-store removals for BAT-BMS, Epoch-i-ion and Lossigy after reports that Bluetooth battery-management controls could disable e-rickshaws remotely. The removal order covers app-store distribution while the reported weakness sits in battery controls, and MeitY has not published a final investigation report or named the battery makers involved.Abu Dhabi Cooling Manual Targets Oversized AC Costs Without Adoption DateEconomyJul 4, 2026Abu Dhabi Cooling Manual Targets Oversized AC Costs Without Adoption DateAbu Dhabi’s Department of Energy launched a Cooling Load Manual for new buildings, saying oversized air-conditioning systems can raise equipment and electricity costs. The guidance includes a verification tool for developers and designers, but the department did not disclose enforcement penalties, a mandatory adoption date or measured savings from completed projects.OCC Ends Patriot Bank Order After $5 Million Compliance CostCapital & PolicyJul 4, 2026OCC Ends Patriot Bank Order After $5 Million Compliance CostBanking Dive reported that the OCC terminated a risk-management enforcement action against Patriot Bank after roughly 18 months. The January 2025 order covered Bank Secrecy Act and anti-money laundering risk management, payment activities oversight and capital planning, while CEO Steven Sugarman said related expenses topped $5 million.SK hynix Sets $713 Billion Korea Memory Plan As HBM4E Customers Stay UnnamedChips & SemiconductorsJul 4, 2026SK hynix Sets $713 Billion Korea Memory Plan As HBM4E Customers Stay UnnamedSK hynix plans 1,100 trillion South Korean won in domestic manufacturing investment, a Nasdaq listing and HBM4E sample shipments. The plan points to memory capacity for AI data centres, but the company has not named HBM4E customers or tenant commitments for the related 15 gigawatts of AI data centre infrastructure.Micron And GM Sign Memory Supply Deal Without Volumes Or PricingChips & SemiconductorsJul 3, 2026Micron And GM Sign Memory Supply Deal Without Volumes Or PricingMicron and General Motors announced a strategic customer agreement covering long-term supply of LPDRAM, NOR and UFS NAND for future vehicle platforms. The company statement links the deal to Micron’s $2 billion Manassas fab modernisation and says it is one of 16 strategic customer agreements discussed on Micron’s fiscal third-quarter 2026 call, but it does not disclose order volumes, pricing or covered vehicle lines.ADCB Extends Branch Hours As UAE Banking Services Stay DisruptedFintech & Digital PaymentsJul 3, 2026ADCB Extends Branch Hours As UAE Banking Services Stay DisruptedADCB said essential system maintenance may intermittently affect some banking services after telling customers on Wednesday that all banking services were unavailable. The UAE lender extended branch hours and listed ATMs, call centres and uBank centres as support channels, but it did not give the cause, affected systems or a full restoration date.SMB Cross-Border Payments Shift To FinTechs Without Leaving BanksFintech & Digital PaymentsJul 3, 2026SMB Cross-Border Payments Shift To FinTechs Without Leaving BanksPYMNTS Intelligence said 36% of internationally active U.S. SMBs expect to use FinTechs or payment providers for cross-border transactions in 2026, up from 30% in 2025. The same report said 69% expect to use traditional banks, leaving banks dominant while SMBs add more payment options.Databricks LTAP Claim Faces One-Copy Questions Over LakebaseScience & TechJul 3, 2026Databricks LTAP Claim Faces One-Copy Questions Over LakebaseDatabricks says LTAP unifies transactional and analytical workloads around one authoritative storage layer for AI-agent-era applications. The technical dispute is whether Lakebase, Reyden and object storage amount to one operational copy or several internal representations that still need careful synchronisation.