A newly discovered vulnerability in the Linux kernel allows any unprivileged user to obtain full root access. The flaw, known as Bad Epoll and tracked as CVE-2026-46242, affects Linux desktops, servers, and Android devices alike. A patch is already available.
The vulnerability lives in the same area of kernel code where Anthropic's Mythos AI recently identified a different bug. The AI found one issue but overlooked this one. Security researcher Jaeyoung Chung discovered it and developed a working exploit.
Understanding the Flaw
Epoll is a core Linux feature that enables programs to monitor multiple files or network connections simultaneously. It provides support for web servers, network services, and browsers. It cannot be disabled.
Bad Epoll is use after free. Two different paths inside the kernel try to release the same internal object at once. One path frees memory while the other writes into it.This collision corrupts kernel memory, allowing an attacker to escalate from an ordinary user account to root.
The challenge lies in timing. The race window is approximately six machine instructions wide. A random attempt will almost never succeed. Chung's exploit widens this window and retries without crashing, achieving a 99% success rate on tested systems.
Two factors increase the severity: the exploit can be triggered from inside Chrome's renderer sandbox, which blocks most kernel vulnerabilities, and it functions on Android, a platform where most Linux privilege flaws are ineffective.
The Discovery Story
Chung reported the flaw as a zero-day to Google's kernelCTF program. His public writeup contains full technical details. There is no evidence of in-the-wild exploitation. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog. Only the kernelCTF proof of concept currently exists. An Android-specific exploit is still under development.
Both Bad Epoll and the earlier AI-discovered flaw trace back to the same 2023 change in the epoll code. The first vulnerability, now designated CVE-2026-43074, was patched earlier this year. Mythos genuinely found a kernel privilege escalation bug, no small achievement, given the difficulty of spotting race conditions.
Why the AI Missed the Second Bug
Chung offers two plausible explanations for why the same AI failed to catch the sibling flaw.
To start with, the race window is very tight. It is not easy to understand the order of execution, even if one looks into the code. Second, the runtime data is hard to find. Once the first bug is fixed, Bad Epoll becomes invisible for KASAN, which is the main system for detecting bugs in the kernel.
Applying the Fix
There is no workaround for Bad Epoll because epoll cannot be disabled. Apply upstream commit a6dc643c6931 or install your distribution's backport when available. Kernels version 6.4 and newer are affected unless patched. Older 6.1-based kernels, including some Android devices like the Pixel 8, are not vulnerable because the bug was introduced in 6.4.
A Busy Year for Linux Kernel Vulnerabilities
Bad Epoll joins a growing list of kernel flaws that have been used to root Android devices, following Bad Binder, Bad IO_uring, and Bad Spin. The year has been particularly active for Linux privilege escalation bugs.
Copy Fail (CVE-2026-31431) appeared in April and was added to CISA's Known Exploited Vulnerabilities list. The Dirty Frag chain, Fragnesia, DirtyClone, and pedit COW followed. These are deterministic page-cache-write bugs with no race to win, making them far more reliable. Bad Epoll represents the older, more challenging variant: a race condition that must be won, reminiscent of Dirty Cow from 2016.
The FUSE Filesystem Flaw
A separate vulnerability, CVE-2026-31694, has also surfaced in the kernel's FUSE filesystem code. A local user with FUSE access can supply a malicious filesystem to corrupt kernel memory. Depending on the configuration, this can result in root access, data leaks, or system crashes. Since FUSE access is common in containers and user namespaces, this flaw poses a greater risk to servers and containerized environments than to mobile devices.
The Bigger Picture
Bad Epoll serves as a valuable counterpoint to recent advances in AI-assisted vulnerability research. It demonstrates that race conditions remain difficult at every stage: hard to discover, even for a leading AI; hard to patch, as the first fix took roughly two months; and hard to exploit, with a window only six instructions wide.
For now, the vulnerability that an AI overlooks remains one that a human researcher must catch.
The Bottom Line
Bad Epoll is a use-after-free vulnerability in the Linux kernel's epoll subsystem. It affects Linux 6.4 and newer, including Android devices. A patch is available. Apply it.
The bug an AI missed is the one a researcher found. The exploit is reliable. The race is winnable. The fix exists. Do not wait.
FAQ Section
What is Bad Epoll?
Bad Epoll (CVE-2026-46242) is a use-after-free vulnerability in the Linux kernel's epoll subsystem that allows an unprivileged local user to escalate privileges to root.
What kernel versions are affected?
The kernel versions 6.4 and later are affected unless they are patched. The previous kernel versions that use the 6.1 kernel like the Pixel 8 Android phone are not affected..
How reliable is the exploit?
The race window is approximately six machine instructions wide. The exploit widens this window and retries without crashing, achieving a 99% success rate on tested systems.
Can the exploit be triggered from a sandbox?
Yes. The exploit works from inside Chrome's renderer sandbox, which blocks most other kernel vulnerabilities.
Does this affect Android?
Yes. Most Linux privilege bugs do not work on Android, but Bad Epoll does. An Android-specific exploit is still under development.
What should I do to protect my systems?
Apply upstream commit a6dc643c6931 or install your distribution's backport. There is no workaround because epoll is essential and cannot be disabled.