New “Bad Epoll” Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android

New "Bad Epoll" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android

A newly disclosed Linux kernel flaw called Bad Epoll (CVE-2026-46242) lets an ordinary user with no special access take full control of a machine as root. It affects Linux desktops, servers, and Android, and a fix is out.

Bad Epoll sits in the same small stretch of kernel code where Anthropic’s most powerful AI model, Mythos, recently found a different bug.

The AI caught one flaw and missed this one. A researcher, Jaeyoung Chung, found it and built a working attack.

How the Bug Works

Epoll is a standard Linux feature that lets a program watch many files or network connections at once. Servers, network services, and web browsers all lean on it. You cannot simply switch it off.

Bad Epoll is a “use-after-free” bug. Two parts of the kernel try to clean up the same internal object at the same time. One frees the memory while the other is still writing into it. That brief collision lets an attacker corrupt kernel memory, then climb from a normal account up to root.

The catch is timing. The window where the two paths collide is only about six machine instructions wide, so a random attempt almost never lands in it. Chung’s exploit widens that window and retries without crashing, reaching root about 99% of the time on tested systems.

Two things make it more dangerous: by his account, it can be triggered from inside Chrome’s renderer sandbox, which blocks almost every other kernel bug, and it can reach Android, which most Linux privilege bugs cannot.

Chung submitted the flaw as a zero-day to Google’s kernelCTF program, and full technical details are in his public writeup. There is no sign it has been used in real attacks: as of this writing, it is not on CISA’s Known Exploited Vulnerabilities list, and the only working code is that kernelCTF proof of concept. An Android version of the exploit is still in progress.

Both bugs trace back to a single 2023 change to the epoll code. Chung says Mythos found the first of the two, now tracked as CVE-2026-43074, with a fix landing earlier in 2026.

Anthropic has separately said Mythos found Linux kernel privilege-escalation bugs, though it has not publicly linked that work to Bad Epoll. Finding the first one was a real result, because race-condition bugs are notoriously hard to spot.

So why did the same AI miss the sibling flaw? Chung offers two likely reasons and is careful to say no one can be sure.

  • First, the timing window is tiny, so the exact sequence of events is hard to picture even while staring at the code.
  • Second, there is little evidence at runtime.

Once the first bug is patched, Bad Epoll’s memory error usually does not trip KASAN, the kernel’s main bug detector, so nothing flags that something is wrong.

Epoll cannot be turned off, so there is no workaround. Apply upstream commit a6dc643c6931, or install your distribution’s backport when it lands. Kernels built on 6.4 or newer are affected unless they already have the fix.

Older 6.1-based kernels, including some Android phones such as the Pixel 8, are not, because the bug arrived in 6.4.

A Bad Year for the Linux Kernel

Bad Epoll joins a well-known family of kernel bugs used to root Android, following earlier entries called Bad Binder, Bad IO_uring, and Bad Spin.

It also lands in a busy stretch for Linux privilege flaws, though most of the recent ones work differently. Copy Fail (CVE-2026-31431) landed in April and is now on CISA’s Known Exploited Vulnerabilities list. The Dirty Frag chain, Fragnesia, DirtyClone, pedit COW came after it.

Both are deterministic page-cache-write bugs, like Dirty Pipe (2022), with no race to win, which makes them far more reliable to run. Bad Epoll is the older, harder kind: a race you have to win, like Dirty Cow (2016).

A public proof-of-concept has also appeared for CVE-2026-31694, a separate flaw in the kernel’s FUSE filesystem code, found by the AI-driven research firm Bynario. A local user with FUSE access can feed the kernel a malicious filesystem and corrupt memory.

Depending on the setup, that can mean root access, data leaks, or a crash. Because that access is common in containers and user namespaces, it lands more as a server and container risk than a phone one.

Bynario is not the only one. Mythos also found and exploited a 17-year-old remote code execution bug in FreeBSD’s NFS server (CVE-2026-4747), and Anthropic researchers have used its models to surface other kernel flaws.

Bad Epoll is a useful counterpoint. It shows that race conditions are hard at every stage: hard to find, even for a leading AI; hard to fix, since the first patch fell short and a correct one took about two months; and hard to exploit, through a window only six instructions wide. For now, the bug an AI walks past is still the one a person has to catch.

The post “New “Bad Epoll” Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android” appeared first on The Hacker News

Source:The Hacker News – [email protected] (The Hacker News)