Bad Epoll: New Linux Kernel Flaw Grants Root Access, Affects Desktops, Servers, and Android
A critical new vulnerability, dubbed **Bad Epoll** (**CVE-2026-46242**), has been discovered in the Linux kernel, allowing an unprivileged local user to gain full root control over affected systems. This 'use-after-free' bug impacts Linux desktops, servers, and Android devices, highlighting the persistent challenge of race conditions, even for advanced AI bug-finding tools.

A newly disclosed Linux kernel flaw, **Bad Epoll** (**CVE-2026-46242**), enables an ordinary user without special access to seize full control of a machine as root. This vulnerability affects Linux desktops, servers, and Android, and a patch has already been released.
Intriguingly, **Bad Epoll** resides in the same section of kernel code where **Anthropic**'s powerful AI model, **Mythos**, recently identified a different bug.
While the AI caught one flaw, it missed this one. Security researcher **Jaeyoung Chung** discovered **Bad Epoll** and developed a working exploit.
## How the Bug Works
**Epoll** is a fundamental Linux feature that allows a program to monitor numerous files or network connections concurrently. Servers, network services, and web browsers heavily rely on it, making it impractical to simply disable.
**Bad Epoll** is classified as a "use-after-free" bug. It occurs when two parts of the kernel attempt to clean up the same internal object simultaneously. One process frees the memory while the other is still writing into it. This brief conflict allows an attacker to corrupt kernel memory, thereby escalating privileges from a standard user account to root.
The critical aspect is timing. The window for this collision between the two execution paths is remarkably narrow, approximately six machine instructions wide, meaning a random attempt would almost certainly fail. Chung's exploit ingeniously widens this window and facilitates retries without crashing, achieving root access in about 99% of attempts on tested systems.
Two factors amplify its danger: according to Chung, it can be triggered from within **Chrome**'s renderer sandbox, which typically thwarts most other kernel bugs, and it can affect Android, a platform largely resilient to many Linux privilege escalation vulnerabilities.
Chung submitted the flaw as a zero-day to **Google**'s **kernelCTF** program, and comprehensive technical details are available in his [public writeup](https://github.com/J-jaeyoung/bad-epoll). As of this writing, there is no indication of its use in real-world attacks; it is not listed on **CISA**'s Known Exploited Vulnerabilities list, and the only active code is the **kernelCTF** proof of concept. An Android version of the exploit is currently under development.
Both vulnerabilities stem from a single change to the **epoll** code introduced in 2023. Chung notes that **Mythos** identified the first of these two, now tracked as **CVE-2026-43074**, which received a fix earlier in 2026.
**Anthropic** has previously stated that **Mythos** [found Linux kernel privilege-escalation bugs](https://red.anthropic.com/2026/mythos-preview/), though it has not publicly linked that work directly to **Bad Epoll**. The initial discovery was a significant achievement, given the notorious difficulty of detecting race-condition bugs.

So, why did the same AI miss this sibling flaw? Chung offers two plausible, though not definitive, reasons:
* First, the timing window is exceedingly small, making the precise sequence of events challenging to visualize even with direct code inspection.
* Second, there is minimal runtime evidence.
Once the first bug is patched, **Bad Epoll**'s memory error typically does not trigger **KASAN**, the kernel's primary bug detector, meaning no alerts signal a problem.
Since **Epoll** cannot be disabled, there is no practical workaround. Users should apply [upstream commit a6dc643c6931](https://git.kernel.org/stable/c/a6dc643c69311677c574a0f17a3f4d66a5f3744b) or install their distribution's backported fix as soon as it becomes available. Kernels built on version 6.4 or newer are affected unless they already incorporate the patch.
Older 6.1-based kernels, including those in some Android devices like the **Pixel 8**, are not susceptible, as the bug was introduced in version 6.4.
## A Challenging Year for the Linux Kernel
**Bad Epoll** joins a familiar lineage of kernel bugs exploited to gain root access on Android, following predecessors like **Bad Binder**, **Bad IO_uring**, and **Bad Spin**.
Its disclosure also comes amidst a period of numerous Linux privilege escalation vulnerabilities. While many recent flaws operate differently, such as **Copy Fail** (**CVE-2026-31431**), which emerged in April and is now on **CISA**'s [Known Exploited Vulnerabilities list](https://thehackernews.com/2026/05/cisa-adds-actively-exploited-linux-root.html), and others like the **Dirty Frag** chain, **Fragnesia**, **DirtyClone**, and **pedit COW**.
These are deterministic page-cache-write bugs, akin to **Dirty Pipe** (2022), lacking a race condition, which makes them highly reliable for exploitation. **Bad Epoll**, however, represents the older, more complex type: a race condition that must be won, similar to **Dirty Cow** (2016).
A public proof-of-concept has also surfaced for **CVE-2026-31694**, a separate flaw in the kernel's **FUSE** filesystem code, identified by the AI-driven research firm **Bynario**. This vulnerability allows a local user with **FUSE** access to present a malicious filesystem to the kernel, leading to memory corruption.
Depending on the system configuration, this could result in root access, data leakage, or a system crash. Given that **FUSE** access is common in containers and user namespaces, this vulnerability poses a greater risk to servers and containerized environments than to mobile phones.
**Bynario** isn't alone in leveraging AI for vulnerability research. **Mythos** also discovered and exploited a 17-year-old remote code execution bug in **FreeBSD**'s **NFS** server (**CVE-2026-4747**), and **Anthropic** researchers have [used its models to uncover other kernel flaws](https://thehackernews.com/2026/04/anthropics-claude-mythos-finds.html).
**Bad Epoll** serves as a valuable counterpoint, illustrating the inherent difficulties of race conditions at every stage: they are hard to find, even for advanced AI; hard to fix, as the initial patch proved insufficient and a correct one took approximately two months; and hard to exploit, requiring precision within a mere six-instruction window. For now, the bugs an AI overlooks often remain for human researchers to uncover.