Researchers disclosed two separate Linux kernel privilege-escalation flaws that can give local attackers root access across a wide range of systems, including servers, desktops, and Android devices. One bug, CVE-2026-46242 or Bad Epoll, is a use-after-free race in the kernel's epoll subsystem that was reportedly exploited through Google's kernelCTF program and shown to be broadly reachable because epoll is a core component that cannot be disabled. The flaw was introduced by a 2023 kernel change, and reporting said an initial patch attempt was insufficient before a correct fix was merged weeks later, leaving defenders dependent on upstream fixes and vendor backports.
A second flaw, CVE-2026-43456, affects the kernel's net/bonding subsystem and stems from a type-confusion condition dating back to 2007. Researchers said the bug can be exploited with high reliability for local root by abusing incompatible header_ops handling in bonded network devices, enabling controlled memory corruption and eventual code execution. The issue reportedly affects Linux versions 2.6.24 through 6.12.77 and requires CAP_NET_ADMIN privileges; mitigations include applying the March 2026 patch, or temporarily disabling unprivileged user namespaces or the bonding module where feasible.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
6 events from the most recent confirmed update back to the earliest known activity.
The Linux kernel flaw CVE-2026-43456 was patched in March 2026. The issue affected versions 2.6.24 through 6.12.77 and could be mitigated by updating the kernel or temporarily disabling unprivileged user namespaces or the bonding module.
A type-confusion flaw later tracked as CVE-2026-43456 was introduced in 2007 in the Linux kernel's net/bonding subsystem, creating a long-lived local privilege-escalation condition.
A newly disclosed Linux kernel vulnerability dubbed Bad Epoll, tracked as CVE-2026-46242, was reported as enabling unprivileged local users to gain root on Linux servers, desktops, and Android devices via the epoll subsystem.
After an initial patch attempt failed, the correct upstream fix for CVE-2026-46242 was merged nearly two months after disclosure. Defenders were advised to apply the upstream fix or wait for vendor backports because no practical workaround exists.
Researcher Jaeyoung Chung discovered and exploited CVE-2026-46242 through Google's kernelCTF program, demonstrating root privilege escalation from an unprivileged local context on Linux and Android.
A 2023 Linux kernel commit introduced the use-after-free race condition later dubbed Bad Epoll and tracked as CVE-2026-46242. The same commit also created another race condition, CVE-2026-43074.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
thecybersecguru.com
Open sourcethecybersecguru.com
Open sourcecybersecuritynews.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.