The vulnerability is a use-after-free race condition in the ep_remove() function inside the Linux kernel’s epoll subsystem. Epoll is the event notification mechanism at the core of how Linux handles concurrent I/O, used by high-performance server software, network services, web browsers, and Android’s event loop. It cannot be disabled on any general-purpose Linux system.
The bug originates in a single April 2023 commit that reworked how epoll manages reference counts to reduce contention on a shared mutex. That commit introduced two distinct race conditions. In ep_remove(), the kernel clears a pointer field on a file object under a lock, but a concurrent __fput() call can observe a transient NULL value and skip the eventpoll_release_file() cleanup step, proceeding directly to f_op->release and freeing a struct eventpoll that is still in active use. Because struct file is SLAB_TYPESAFE_BY_RCU, the freed memory slot can be recycled by alloc_empty_file(), letting an attacker trigger a kmem_cache_free() against the wrong slab cache.
Chung’s exploit chains four linked epoll file descriptors, two pairs, where closing one pair triggers the race while the other serves as the victim object. The attack loops without crashing the kernel until the race is won, turning an eight-byte corrupted write into control over a file object. It then reads arbitrary kernel memory through /proc/self/fdinfo and builds a return-oriented programming chain to spawn a root shell. The timing window is six kernel instructions wide, but the four-descriptor chaining technique drives success to approximately 99 percent without ASLR bypass or kernel version detection. Exploitation requires no special capabilities, no user namespaces, and no configuration changes beyond the ability to run code as a logged-in local user.
The upstream fix is commit a6dc643c6931, which was merged to mainline on April 24, 2026, and sat for approximately 70 days before Chung published his writeup. Linux kernel versions 6.4 through 6.11 are confirmed affected. Kernel 6.1, used by some Android devices including the Pixel 8, introduced the epoll reference counting changes differently and is not affected.
- Apply kernel security updates from your Linux distribution as soon as they are available. Look for builds containing upstream commit a6dc643c6931 or a CVE-2026-46242 fix in the distribution changelog. Reboot after updating, or use live patching where available.
- Prioritize multi-tenant and shared-kernel environments first: cloud VMs, Kubernetes clusters, container hosts, and CI/CD runners where an unprivileged process can reach the host kernel.
- For Android device fleets, apply Google and OEM security updates as they become available. Pixel 10 and devices running kernel 6.6 or later are in scope. Pixel 8 devices on kernel 6.1 are not affected.
- Enable and monitor auditd or SIEM rules for unexpected privilege escalation indicators: processes rapidly changing effective UIDs, unexpected root process spawning from low-privileged parents, or unusual /proc access patterns.
SOCRadar published its findings on July 2, 2026, after identifying a Windows server used as a staging and coordination hub within the FortiBleed infrastructure. The server was not used for credential collection but contained target inventories, harvested data, automation scripts, and operational artifacts. Inside the server, investigators found browser session data showing an operator actively logged into the victim negotiation dashboards of both INC Ransom and Lynx, the interfaces ransomware operators use to communicate with and extort compromised organizations.
The connection was corroborated by a second independent data source: SOCRadar compared FortiBleed target and victim data from the internal infrastructure against an INC-linked open directory found separately, and identified matching organizations in both datasets. That overlap confirms the same organizations tracked in the FortiBleed credential harvesting operation later appeared as ransomware victims, without requiring the negotiation panel finding to stand alone.
SOCRadar’s extended investigation also identified over 200 additional operational servers beyond those originally associated with the campaign, bringing the total to approximately 500 servers. The team tracked scanning activity against roughly 11,250 FortiGate portals in over 150 countries, with confirmed administrator-level access on 409 targets, successful completion of the full attack chain on 354, and at least 12 confirmed ransomware deployments resulting in hundreds of encrypted endpoints. The operation has a documented internal structure of approximately 20 individuals with defined operational roles. A persistent backdoor account with the username adminin was found on several compromised systems.
Separately, eSentire reported this week observing exploitation of a Fortinet FortiClient EMS vulnerability, CVE-2026-35616 CVSS 9.1, to deploy an information stealer called EKZ Stealer against an energy sector organization, indicating that Fortinet-targeted credential harvesting extends beyond FortiBleed itself into the broader Fortinet infrastructure attack ecosystem.
- Treat any organization whose FortiGate devices were within FortiBleed scope as a potential ransomware pre-deployment target, not only a credential exposure. Complete the remediation actions from Issues 68 through 71: patch FortiGate firmware, invalidate all active sessions, rotate all credentials including VPN user credentials, and audit for unauthorized accounts including the adminin backdoor account username.
- Hunt for the adminin persistence backdoor account in Active Directory and on any systems that may have been accessed via FortiBleed-harvested credentials, as this is a specific indicator SOCRadar documented across compromised systems.
- If your organization runs Fortinet FortiClient EMS, review and apply patches for CVE-2026-35616, as eSentire confirmed active exploitation of this separate Fortinet flaw in the energy sector this week.
Citrix published a security bulletin over the holiday weekend addressing six vulnerabilities in NetScaler ADC and NetScaler Gateway. The two most significant findings are a denial-of-service vulnerability exploitable via specially crafted HTTP/2 requests, described as an HTTP/2 Bomb attack that can crash the appliance, and a high-severity unauthenticated memory disclosure vulnerability that allows attackers to retrieve in-memory content from active sessions on the appliance.
The memory disclosure flaw is described in researcher coverage as CitrixBleed-style, referencing CVE-2023-4966, the critical Citrix session token leak from 2023 that was exploited by multiple ransomware and espionage groups in a wave of attacks across thousands of organizations. The 2023 flaw allowed unauthenticated retrieval of complete session tokens that could be replayed to hijack authenticated sessions without requiring credentials. The current vulnerability has not been characterized as producing complete session token replay, but the class of flaw, in-memory content disclosure from active sessions on an authentication appliance, carries the same category of risk.
SecurityWeek noted as of July 2 that hackers were already targeting NetScaler appliances using public PoC code to retrieve arbitrary memory content in the HTTP response, indicating that active scanning began almost immediately following the Citrix bulletin. All six vulnerabilities were addressed in patched builds available from Citrix Support Portal.
- Apply Citrix patches to all NetScaler ADC and Gateway appliances immediately. Specific affected builds and patched build numbers are available in the Citrix security bulletin on the Citrix Support Portal.
- Treat active scanning as confirmed and review NetScaler authentication and access logs for unusual request patterns, particularly requests to session or token endpoints from unexpected source IP addresses, which may indicate that the vulnerability was probed before the patch was applied.
- Restrict NetScaler management interface access to internal networks and trusted management IP ranges regardless of patch status, as this reduces exposure for any future NetScaler vulnerabilities that may be disclosed.