New Linux Kernel Flaw ‘Bad Epoll’ Lets Unprivileged Users Get Root on Android

▼ Summary
– The Bad Epoll flaw (CVE-2026-46242) is a use-after-free bug in Linux’s epoll feature that allows an unprivileged user to gain root access, affecting desktops, servers, and Android.
– The bug has a tiny race window of about six machine instructions, but researcher Jaeyoung Chung created an exploit that achieves root 99% of the time on tested systems.
– Bad Epoll is notably dangerous because it can be triggered from within Chrome’s renderer sandbox and can also affect Android devices.
– The flaw originates from a 2023 code change and is a sibling bug to one previously found by Anthropic’s Mythos AI, which missed this second vulnerability.
– There is no workaround for the bug, and users must apply the upstream kernel commit a6dc643c6931 or their distribution’s backport to fix it.
A newly discovered vulnerability in the Linux kernel, dubbed Bad Epoll (CVE-2026-46242), allows any unprivileged user to escalate privileges to root, putting Linux desktops, servers, and Android devices at risk. A patch has already been released to address the issue.
The flaw resides in the same narrow stretch of kernel code where Anthropic’s advanced AI model, Mythos, recently identified a separate bug. While the AI successfully found one vulnerability, it missed this one. Researcher Jaeyoung Chung discovered Bad Epoll and developed a functional exploit.
Understanding the Flaw
Epoll is a fundamental Linux feature that enables programs to monitor numerous files or network connections simultaneously. It is essential for servers, network services, and web browsers, and it cannot be disabled. Bad Epoll is a use-after-free bug. Two kernel components attempt to clean up the same internal object concurrently. One frees the memory while the other is still writing to it. This brief collision allows an attacker to corrupt kernel memory and escalate from a normal user account to root.
The exploit relies on precise timing. The collision window is only about six machine instructions wide, making random attempts almost always fail. Chung’s exploit widens this window and retries without crashing, achieving root access approximately 99% of the time on tested systems.
Two factors make Bad Epoll particularly dangerous. First, it can be triggered from within Chrome’s renderer sandbox, a layer that blocks most other kernel bugs. Second, it affects Android, a target most Linux privilege escalation bugs cannot reach.
Chung submitted the flaw as a zero-day to Google’s kernelCTF program, with full technical details available in his public writeup. There is no evidence of active exploitation in the wild. It is not listed on CISA’s Known Exploited Vulnerabilities catalog, and the only working code is the kernelCTF proof of concept. An Android-specific exploit is still under development.
Both bugs trace back to a single 2023 change to the epoll code. Chung notes that Mythos found the first vulnerability, now tracked as CVE-2026-43074, with a fix released earlier in 2026. Anthropic has confirmed that Mythos discovered Linux kernel privilege-escalation bugs, though it has not explicitly linked that work to Bad Epoll. Finding the first bug was a significant achievement, as race-condition vulnerabilities are notoriously difficult to detect.
So why did the same AI miss the related flaw? Chung offers two plausible explanations, while acknowledging uncertainty. First, the timing window is extremely small, making the exact sequence of events hard to visualize even when analyzing the code. Second, there is little runtime evidence. Once the first bug is patched, Bad Epoll’s memory error typically does not trigger KASAN, the kernel’s primary bug detector, so nothing signals a problem.
Because Epoll cannot be disabled, there is no workaround. Users should apply upstream commit a6dc643c6931 or install their distribution’s backport when available. Kernels built on version 6.4 or newer are affected unless they already include the fix. Older 6.1-based kernels, including those on some Android devices like the Pixel 8, are not vulnerable because the bug was introduced in version 6.4.
A Challenging Year for the Linux Kernel
Bad Epoll joins a notorious family of kernel bugs used to root Android, following earlier flaws like Bad Binder, Bad IO_uring, and Bad Spin. It also arrives during a busy period for Linux privilege escalation vulnerabilities, though most recent ones operate differently. Copy Fail (CVE-2026-31431) landed in April and is now on CISA’s Known Exploited Vulnerabilities list. The Dirty Frag chain, Fragnesia, DirtyClone, and pedit COW followed. These are deterministic page-cache-write bugs, similar to Dirty Pipe (2022), with no race to win, making them far more reliable. Bad Epoll represents the older, more difficult type: a race that must be won, like Dirty Cow (2016).
A public proof of concept has also emerged for CVE-2026-31694, a separate flaw in the kernel’s FUSE filesystem code, discovered by the AI-driven research firm Bynario. A local user with FUSE access can feed the kernel a malicious filesystem and corrupt memory. Depending on the configuration, this could lead to root access, data leaks, or a crash. Since FUSE access is common in containers and user namespaces, this poses a greater risk to servers and containers than to phones.
Bynario is not alone in this field. Mythos also found and exploited a 17-year-old remote code execution bug in FreeBSD’s NFS server (CVE-2026-4747), and Anthropic researchers have used its models to uncover other kernel flaws.
Bad Epoll serves as a valuable counterpoint. It demonstrates that race conditions are difficult at every stage: hard to find, even for a leading AI; hard to fix, since the initial patch was incomplete and a correct one took about two months; and hard to exploit, through a window only six instructions wide. For now, the bug an AI overlooks is still the one a human must catch.
(Source: Internet)



