• Category: Security
  • Status: confirmed
  • Sources: PoC and write-up, fix commit
  • Summary: A published proof of concept documents CVE-2026-46242, a race-condition use-after-free in the Linux kernel epoll subsystem that yields local privilege escalation to root. The write-up dates the flaw to a v6.4 change (commit 58c9b016e128, April 2023) and the fix to commit a6dc643c6931 merged for v6.6 and later in April 2026, after a report on 2026-02-17. The author states the exploit reaches about 99 percent reliability through timing and retry loops and can be triggered from within Chrome's renderer sandbox, opening a kernel code-execution path.
  • Why it matters: Any kernel from v6.4 without the backport is exposed on desktops, servers, and Android, and the browser-sandbox trigger makes it a plausible second stage after a renderer compromise.
  • Follow-up: Watch for distribution kernels confirming the backport and for a weaponized exploit beyond the published proof of concept.

Send feedback on this story