Bad Epoll CVE-2026-46242: Linux root escalation hits servers, desktops, and Android with a 99 percent reliable public exploit and no workaround  ·  FortiBleed confirmed as a ransomware pipeline: one operator logged into both INC Ransom and Lynx panels using FortiBleed infrastructure  ·  Citrix patches six NetScaler flaws including HTTP/2 Bomb denial of service and high-severity memory disclosure  ·  CYBERSIP.NET  ·  ISSUE 79
CYBERSIPTM
Daily Cyber Brief  ·  Intelligence Without the Noise
Issue No. 79July 6, 2026cybersip.net
Issue No. 79  ·  July 6, 2026  ·  3 items from the past 48 hours  ·  Under 5 min read
Weekend picture
A PhD student at Seoul National University published a working exploit over the holiday weekend for Bad Epoll, a Linux kernel use-after-free race condition in the epoll subsystem that gives any unprivileged local user root on servers, desktops, and Android devices running kernel 6.4 or later. The exploit succeeds roughly 99 percent of the time, is fully public, and there is no configuration-based workaround because epoll cannot be disabled. A patch has been in the mainline kernel since April, but it sat unannounced for 70 days before this disclosure, and many distributions have not yet shipped backports. SOCRadar closed the loop on FortiBleed over the weekend, confirming for the first time that the credential-harvesting operation directly feeds ransomware attacks: an operator tied to FortiBleed infrastructure was found simultaneously logged into the negotiation panels of both INC Ransom and Lynx, with at least 12 confirmed ransomware deployments already traced to FortiBleed access and hundreds of endpoints encrypted. Citrix published patches for six NetScaler ADC and Gateway vulnerabilities including an HTTP/2 Bomb denial-of-service flaw and a high-severity CitrixBleed-style memory disclosure that lets unauthenticated attackers retrieve fragments of memory from active sessions.
Weekend snapshot
3 items this issue
Bad Epoll CVE-2026-46242 / public 99% exploit / servers, desktops, Android FortiBleed / confirmed ransomware pipeline / INC Ransom / Lynx / 12 deployments Citrix NetScaler / 6 flaws patched / HTTP/2 Bomb / memory disclosure 3 items this issue
July 3–4Bad Epoll99% Exploit PublicHits Android
Bad Epoll CVE-2026-46242: any unprivileged local user can reach root on Linux servers, desktops, and Android devices running kernel 6.4 or later. Public exploit, 99 percent reliable, no workaround, patch sat unannounced for 70 days. Not yet confirmed exploited in the wild.
The bug is a use-after-free race condition in ep_remove(). The exploit chains four linked epoll file descriptors to win a six-instruction timing window and turn an eight-byte corrupted write into a root shell. Of the roughly 130 vulnerabilities exploited through Google’s kernelCTF, only about ten can root Android. Bad Epoll is one of them. Patch immediately. No configuration-based mitigation exists.
July 2–3FortiBleedINC Ransom / Lynx
FortiBleed confirmed as a direct ransomware pipeline. An operator tied to FortiBleed infrastructure was found logged into INC Ransom and Lynx negotiation panels simultaneously. At least 12 ransomware deployments confirmed. Hundreds of endpoints encrypted.
SOCRadar found the link after identifying a Windows staging server in the FortiBleed infrastructure. The server contained browser sessions with access to both groups’ victim negotiation dashboards. This is not an IAB selling access at arm’s length. One criminal enterprise is running both the credential harvesting and the ransomware extortion under different brand names.
July 3–5Citrix NetScalerPatched
Citrix patches six NetScaler ADC and Gateway vulnerabilities including an HTTP/2 Bomb denial-of-service flaw and a high-severity memory disclosure that lets unauthenticated attackers retrieve fragments of active session memory. Update immediately.
The memory disclosure flaw is described as CitrixBleed-style, referencing the CVE-2023-4966 campaign that gave attackers active session tokens. NetScaler is a frequent high-value target. Patching is the only remediation. Restrict management interface access to internal networks regardless of patch status.
Detailed intelligence
Full analysis
01 Bad Epoll Public Exploit Android
Bad Epoll CVE-2026-46242: a near-100-percent-reliable public exploit for a Linux kernel root escalation that hits servers, desktops, and Android. No workaround. Patch has been in mainline since April. Most distributions had not shipped it before the disclosure.
CVE-2026-46242 · Linux Kernel · July 3
PhD student Jaeyoung Chung at Seoul National University’s CompSec Lab submitted the finding to Google’s kernelCTF program, published a full technical writeup, and released the exploit code on July 3. The bug is a use-after-free race condition in the Linux kernel’s epoll subsystem, introduced by a single 2023 commit. No special capabilities or elevated permissions are required. The exploit succeeds roughly 99 percent of the time by chaining four linked epoll file descriptors across a six-instruction timing window.
Executive Impact
Apply kernel updates immediately to all Linux servers, desktops, and managed Android devices running kernel 6.4 or later. Distributions including Debian, Ubuntu, Red Hat, SUSE, and others are pulling in the upstream fix. The risk is highest in multi-tenant and shared-infrastructure environments: cloud VMs, Kubernetes clusters, CI/CD build runners, container hosts, and shared hosting where an unprivileged process or compromised workload can reach the host kernel. On those platforms, a single exploited container or compromised account converts directly to full host compromise with no further exploitation required. Older Android devices running kernel 6.1, including the Pixel 8, are not affected. Pixel 10 and devices running kernel 6.6 or later should apply Google security updates as soon as available.
Don’t Miss
The disclosure has an uncomfortable subplot that is worth naming precisely. A single April 2023 commit to the epoll code introduced two separate race conditions in the same 2,500-line stretch of code. The first, tracked as CVE-2026-43074, was found by Anthropic’s Claude Mythos model through its AI-assisted kernel security research program and fixed in April 2026. The second, Bad Epoll, was in the same code and missed. Mythos found the harder-to-see first bug, then a human researcher found the sibling it missed. Chung offers two likely reasons. The timing window is six instructions wide, making it hard to picture the exact collision sequence. And once the first bug is patched, Bad Epoll leaves almost no runtime trace because it rarely triggers KASAN, the kernel’s main memory-error detector. The practical upshot for anyone reasoning about AI-assisted security review: finding one vulnerability in a code region is not confirmation that the region is clean. The absence of further findings is not evidence of absence.
CyberSip Take
Bad Epoll joins Bad Binder, Bad IO_uring, and Bad Spin in a named series of Android-rooting kernel race conditions found through the kernelCTF program. The pattern is consistent: a fundamental kernel subsystem that cannot be disabled, a race window that is narrow enough to escape routine review, and a reliable exploit once someone commits to finding it. The epoll subsystem has now produced two separate exploitable race conditions from the same 2023 commit. Patch kernels now, prioritize multi-tenant and container environments, and treat kernel updates on Android device fleets with the same urgency you would apply to a remote code execution vulnerability.
How the bug works

The vulnerability is a use-after-free race condition in the ep_remove() function inside the Linux kernel’s epoll subsystem. Epoll is the event notification mechanism at the core of how Linux handles concurrent I/O, used by high-performance server software, network services, web browsers, and Android’s event loop. It cannot be disabled on any general-purpose Linux system.

The bug originates in a single April 2023 commit that reworked how epoll manages reference counts to reduce contention on a shared mutex. That commit introduced two distinct race conditions. In ep_remove(), the kernel clears a pointer field on a file object under a lock, but a concurrent __fput() call can observe a transient NULL value and skip the eventpoll_release_file() cleanup step, proceeding directly to f_op->release and freeing a struct eventpoll that is still in active use. Because struct file is SLAB_TYPESAFE_BY_RCU, the freed memory slot can be recycled by alloc_empty_file(), letting an attacker trigger a kmem_cache_free() against the wrong slab cache.

Chung’s exploit chains four linked epoll file descriptors, two pairs, where closing one pair triggers the race while the other serves as the victim object. The attack loops without crashing the kernel until the race is won, turning an eight-byte corrupted write into control over a file object. It then reads arbitrary kernel memory through /proc/self/fdinfo and builds a return-oriented programming chain to spawn a root shell. The timing window is six kernel instructions wide, but the four-descriptor chaining technique drives success to approximately 99 percent without ASLR bypass or kernel version detection. Exploitation requires no special capabilities, no user namespaces, and no configuration changes beyond the ability to run code as a logged-in local user.

The upstream fix is commit a6dc643c6931, which was merged to mainline on April 24, 2026, and sat for approximately 70 days before Chung published his writeup. Linux kernel versions 6.4 through 6.11 are confirmed affected. Kernel 6.1, used by some Android devices including the Pixel 8, introduced the epoll reference counting changes differently and is not affected.

Recommended actions
Derived from The Hacker News, CyberSec Guru, Breached.Company, and Jaeyoung Chung’s kernelCTF disclosure on CVE-2026-46242, July 3–4, 2026.
02 FortiBleed Confirmed Ransomware Pipeline
FortiBleed confirmed as a direct ransomware pipeline, not just credential trafficking. An operator with FortiBleed infrastructure access was simultaneously logged into INC Ransom and Lynx negotiation panels. At least 12 ransomware deployments confirmed from FortiBleed access.
FortiBleed · SOCRadar · July 2
SOCRadar published findings on July 2 linking FortiBleed directly to active ransomware operations after identifying a Windows staging server in the FortiBleed infrastructure that contained browser sessions logged into the negotiation dashboards of both INC Ransom and Lynx. Victim data from FortiBleed overlaps with organizations listed on the INC Ransom leak site, independently confirming the connection. At least 12 ransomware deployments have been traced directly to FortiBleed access, with hundreds of endpoints encrypted.
Executive Impact
The confirmation that FortiBleed feeds INC and Lynx ransomware deployments directly changes the risk framing for any organization that treated this as a credential exposure rather than a ransomware precursor. Any organization whose FortiGate devices were within the FortiBleed targeting scope should treat the question of whether their credentials were harvested as equivalent to asking whether they are a ransomware pre-deployment target. Remediation actions remain the same as issued across Issues 68 through 71: patch FortiGate, invalidate active sessions, rotate all credentials, audit for unauthorized accounts. The new context makes those actions more urgent, not different. SOCRadar also found evidence of a previously undisclosed Nextcloud zero-day used by the actors to expand access after initial compromise, though no CVE has been assigned and not all cases involved Nextcloud.
Don’t Miss
The specific finding that closes the attribution loop is important: SOCRadar found not only that a FortiBleed operator had access to both ransomware negotiation panels, but that INC Ransom victim lists and FortiBleed target data overlap as independent datasets. Those two findings together rule out coincidence. The operation is not a broker selling to multiple ransomware groups. It is a vertically integrated criminal enterprise running credential harvesting, access brokering, and ransomware extortion under different operational brands. INC Ransom has been active since mid-2023. Lynx emerged roughly a year later and is widely assessed as an evolved variant of INC under the same or closely affiliated operators. The SOCRadar internal tracking document suggests approximately 20 individuals with defined roles: some focused on high-impact intrusions and others on technical support. The persistence backdoor account username adminin was found on several compromised systems, providing a specific indicator to hunt for in forensic reviews.
CyberSip Take
This brief has tracked FortiBleed across Issues 68 through 75. The through-line from Issue 68 to today is now complete: default credentials on internet-facing firewalls, harvested at scale through a custom sniffer, cracked with GPU clusters, and deployed directly into ransomware attacks on the same organizations. The credential theft and the ransomware attacks are run by the same people. Remediation actions remain unchanged. The stakes are now clearly stated.
What SOCRadar found

SOCRadar published its findings on July 2, 2026, after identifying a Windows server used as a staging and coordination hub within the FortiBleed infrastructure. The server was not used for credential collection but contained target inventories, harvested data, automation scripts, and operational artifacts. Inside the server, investigators found browser session data showing an operator actively logged into the victim negotiation dashboards of both INC Ransom and Lynx, the interfaces ransomware operators use to communicate with and extort compromised organizations.

The connection was corroborated by a second independent data source: SOCRadar compared FortiBleed target and victim data from the internal infrastructure against an INC-linked open directory found separately, and identified matching organizations in both datasets. That overlap confirms the same organizations tracked in the FortiBleed credential harvesting operation later appeared as ransomware victims, without requiring the negotiation panel finding to stand alone.

SOCRadar’s extended investigation also identified over 200 additional operational servers beyond those originally associated with the campaign, bringing the total to approximately 500 servers. The team tracked scanning activity against roughly 11,250 FortiGate portals in over 150 countries, with confirmed administrator-level access on 409 targets, successful completion of the full attack chain on 354, and at least 12 confirmed ransomware deployments resulting in hundreds of encrypted endpoints. The operation has a documented internal structure of approximately 20 individuals with defined operational roles. A persistent backdoor account with the username adminin was found on several compromised systems.

Separately, eSentire reported this week observing exploitation of a Fortinet FortiClient EMS vulnerability, CVE-2026-35616 CVSS 9.1, to deploy an information stealer called EKZ Stealer against an energy sector organization, indicating that Fortinet-targeted credential harvesting extends beyond FortiBleed itself into the broader Fortinet infrastructure attack ecosystem.

Recommended actions
Derived from SecurityWeek, The Hacker News, BleepingComputer, and SOCRadar blog on FortiBleed ransomware attribution, July 2–3, 2026.
03 Citrix NetScaler Patched
Citrix patches six NetScaler ADC and Gateway vulnerabilities over the weekend, including an HTTP/2 Bomb denial-of-service flaw and a high-severity memory disclosure that lets unauthenticated attackers retrieve fragments of active session memory.
Multiple CVEs · NetScaler ADC · Gateway
Citrix published a security bulletin over the weekend patching six vulnerabilities across NetScaler ADC and NetScaler Gateway. The two most significant are an HTTP/2 Bomb denial-of-service flaw that allows an unauthenticated attacker to crash appliances by sending a specially crafted HTTP/2 request, and a high-severity memory disclosure vulnerability that allows unauthenticated attackers to retrieve fragments of in-memory content from active sessions, described by researchers as CitrixBleed-style.
Executive Impact
Apply the Citrix patches immediately on all NetScaler ADC and Gateway appliances. The memory disclosure flaw is the higher priority of the two significant vulnerabilities: in-memory session content on NetScaler includes session tokens, authentication data, and potentially credentials from active user sessions. The CitrixBleed campaign in late 2023, caused by CVE-2023-4966, demonstrated how similar session memory disclosure in NetScaler can be rapidly weaponized for session hijacking at scale. The HTTP/2 Bomb flaw is operationally disruptive but not a path to credential or data theft.
Don’t Miss
SecurityWeek noted active scanning for NetScaler appliances using public PoC code to exploit the memory disclosure vulnerability as of July 2. The transition from Citrix publishing a patch to active scanning with PoC code appears to have happened within days of the bulletin. This is consistent with the exploitation window compression documented in this brief throughout 2026: once a NetScaler memory disclosure vulnerability becomes public, attackers scan quickly. The original CitrixBleed CVE-2023-4966 in 2023 was exploited by multiple ransomware groups including LockBit and Medusa within weeks of disclosure, and was ultimately exploited across thousands of organizations. The current memory disclosure flaw is a different vulnerability with a different scope, but the category of flaw and the attacker interest in NetScaler as a target are consistent.
CyberSip Take
NetScaler sits at the authentication boundary of enterprise networks, handling remote access, SSO flows, and load balancing for business-critical applications. Active scanning for the memory disclosure flaw started within days of the patch. Patch now, and check whether the appliance was scanned or accessed before the patch was applied by reviewing NetScaler authentication logs for unexpected session activity or unusual request patterns targeting the vulnerable endpoint.
What was patched

Citrix published a security bulletin over the holiday weekend addressing six vulnerabilities in NetScaler ADC and NetScaler Gateway. The two most significant findings are a denial-of-service vulnerability exploitable via specially crafted HTTP/2 requests, described as an HTTP/2 Bomb attack that can crash the appliance, and a high-severity unauthenticated memory disclosure vulnerability that allows attackers to retrieve in-memory content from active sessions on the appliance.

The memory disclosure flaw is described in researcher coverage as CitrixBleed-style, referencing CVE-2023-4966, the critical Citrix session token leak from 2023 that was exploited by multiple ransomware and espionage groups in a wave of attacks across thousands of organizations. The 2023 flaw allowed unauthenticated retrieval of complete session tokens that could be replayed to hijack authenticated sessions without requiring credentials. The current vulnerability has not been characterized as producing complete session token replay, but the class of flaw, in-memory content disclosure from active sessions on an authentication appliance, carries the same category of risk.

SecurityWeek noted as of July 2 that hackers were already targeting NetScaler appliances using public PoC code to retrieve arbitrary memory content in the HTTP response, indicating that active scanning began almost immediately following the Citrix bulletin. All six vulnerabilities were addressed in patched builds available from Citrix Support Portal.

Recommended actions
Derived from SecurityWeek reporting on Citrix NetScaler patches, July 2–5, 2026.
Still watching
Aging items · days 2–4
Items here remain operationally relevant but have no significant new developments. They drop off after 7 days.
SharePoint CVE-2026-45659 CVSS 8.8 (Issue 78). CISA KEV, federal deadline was July 4. Actively exploited. Apply Microsoft May 2026 updates. Audit Site Member accounts and SharePoint server-side logs for unexpected process launches. Storm-2603 Warlock ransomware known to target SharePoint. Day 3
Cursor DuneSlide CVE-2026-50548 and CVE-2026-50549 (Issue 77). Both CVSS 9.8. Zero-click sandbox escape via MCP or web search. Update to Cursor 3.0 or later. Cato says similar flaws in other AI coding agents are being responsibly disclosed. Day 4
Cross-source standouts
01
Finding one bug in a code region is not confirmation that the region is clean
The epoll code contains a 2023 commit that introduced two separate race conditions in the same 2,500-line stretch. An AI model found one and missed the other. This is not a criticism of the AI model. It is an observation about the nature of vulnerability research in complex concurrent code. Chung identifies two reasons the second bug is harder to see: the timing window is narrow enough that the collision sequence is difficult to visualize even while reading the code, and once the first bug is patched, the second rarely triggers KASAN, so there is no runtime signal suggesting anything is wrong. Human security reviewers face exactly the same difficulty. Both of these properties, the invisible timing window and the absent runtime evidence, are properties that apply equally to human and automated review. The lesson is that a completed security review of a code region, by any method, cannot be treated as a guarantee. Patching one vulnerability in a subsystem should trigger a fresh audit of the surrounding code for sibling vulnerabilities, not closure.
02
FortiBleed was always a ransomware operation. Now there is proof.
From Issue 68 through Issue 75, this brief covered FortiBleed as a credential-harvesting campaign attributed to a Russian initial access broker. The IAB framing implied a two-party transaction: credentials harvested and sold, buyers using them independently. SOCRadar’s July 2 findings close that gap. The operation is vertically integrated. The same infrastructure that harvested 110 million credentials also ran the ransomware negotiations. INC Ransom and Lynx are not downstream buyers. They are the same people operating different branded extortion frameworks. That reframes the risk for every organization in FortiBleed scope from the beginning. Exposure to FortiBleed was not exposure to a credential broker. It was exposure to a ransomware operation running a long, patient credential pipeline before engaging targets. At least 354 organizations completed the full attack chain. At least 12 received ransomware. The question for organizations that have not yet confirmed their FortiBleed exposure status is no longer hypothetical.
Our methodology
  • Federal cybersecurity advisories
  • Law enforcement threat bulletins
  • National vulnerability databases
  • Major vendor security advisories
  • Cross-referenced for relevance and corroboration
About CyberSip
A cyber brief for leaders and practitioners who need signal, not noise. Intelligence without the noise, published on cybersip.net.

CyberSip aggregates cybersecurity information from publicly available sources for informational purposes only. CyberSip does not provide legal, technical, incident response, or compliance advice, and makes no guarantee regarding completeness, accuracy, or timeliness. Organizations should validate all findings within their own environments and consult qualified professionals as appropriate. Original advisories, remediation guidance, and technical details remain with the referenced source organizations. Items remain active for no more than 7 days from publication unless materially updated.