Patch Linux and Android ASAP for "Bad Epoll" flaw

This message is intended for U-M IT staff who are responsible for Linux systems and Android devices, and will be of interest to anyone running personal Linux or Android devices.

Summary

Patch as soon as possible for a flaw in the epoll event-notification mechanism of Linux and Android (CVE 2026-46242) that allows users root access on affected systems.

Problem

A use-after-free race condition in the kernel’s epoll event-notification mechanism allows users on Linux and Android systems to gain root privileges.

Threats

There is no evidence of in-the-wild exploitation, but public technical detail exists and a proof-of-concept is circulating, making this an urgent matter.

Affected Systems

The following Linux and Android versions are known to be affected:

  • Linux kernels based on versions 6.4 or later.
  • Android devices running kernel 6.6 or later.

For more detail on specific kernels of Linux affected, see:

Detection

This flaw is present on all Linux and Android systems. 

Action Items

Patch Linux and Android systems as soon as possible. Patching is the only mitigation for this flaw.

Technical Details

Epoll is a standard Linux feature used on servers, network services, and web browsers, as well as Android devices. Bad Epoll is a "use-after-free" bug: two parts of the kernel try to clean up the same internal object at the same time. That brief collision lets an attacker corrupt kernel memory, then escalate their privileges to root. 

How We Protect U-M

ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.

Information for Users

If you are running Linux or using Android on personal devices, the best protection is to keep your software and apps up-to-date by applying available patches asap. 

Questions, Concerns, Reports

Please contact ITS Information Assurance through the ITS Service Center.