New "Bad Epoll" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android
New 'Bad Epoll' Linux kernel flaw (CVE-2026-46242) allows unprivileged users to gain root access.
Summary
A critical Linux kernel vulnerability, dubbed 'Bad Epoll' (CVE-2026-46242), has been disclosed, enabling unprivileged users to escalate privileges to root. The flaw, a use-after-free bug, affects Linux desktops, servers, and Android devices. While a fix is available, its exploitability from within Chrome's renderer sandbox and its impact on Android make it particularly concerning.
Full text
New "Bad Epoll" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android Swati KhandelwalJul 03, 2026Linux / Android A newly disclosed Linux kernel flaw called Bad Epoll (CVE-2026-46242) lets an ordinary user with no special access take full control of a machine as root. It affects Linux desktops, servers, and Android, and a fix is out. Bad Epoll sits in the same small stretch of kernel code where Anthropic's most powerful AI model, Mythos, recently found a different bug. The AI caught one flaw and missed this one. A researcher, Jaeyoung Chung, found it and built a working attack. How the Bug Works Epoll is a standard Linux feature that lets a program watch many files or network connections at once. Servers, network services, and web browsers all lean on it. You cannot simply switch it off. Bad Epoll is a "use-after-free" bug. Two parts of the kernel try to clean up the same internal object at the same time. One frees the memory while the other is still writing into it. That brief collision lets an attacker corrupt kernel memory, then climb from a normal account up to root. The catch is timing. The window where the two paths collide is only about six machine instructions wide, so a random attempt almost never lands in it. Chung's exploit widens that window and retries without crashing, reaching root about 99% of the time on tested systems. Two things make it more dangerous: by his account, it can be triggered from inside Chrome's renderer sandbox, which blocks almost every other kernel bug, and it can reach Android, which most Linux privilege bugs cannot. Chung submitted the flaw as a zero-day to Google's kernelCTF program, and full technical details are in his public writeup. There is no sign it has been used in real attacks: as of this writing, it is not on CISA's Known Exploited Vulnerabilities list, and the only working code is that kernelCTF proof of concept. An Android version of the exploit is still in progress. Both bugs trace back to a single 2023 change to the epoll code. Chung says Mythos found the first of the two, now tracked as CVE-2026-43074, with a fix landing earlier in 2026. Anthropic has separately said Mythos found Linux kernel privilege-escalation bugs, though it has not publicly linked that work to Bad Epoll. Finding the first one was a real result, because race-condition bugs are notoriously hard to spot. So why did the same AI miss the sibling flaw? Chung offers two likely reasons and is careful to say no one can be sure. First, the timing window is tiny, so the exact sequence of events is hard to picture even while staring at the code. Second, there is little evidence at runtime. Once the first bug is patched, Bad Epoll's memory error usually does not trip KASAN, the kernel's main bug detector, so nothing flags that something is wrong. Epoll cannot be turned off, so there is no workaround. Apply upstream commit a6dc643c6931, or install your distribution's backport when it lands. Kernels built on 6.4 or newer are affected unless they already have the fix. Older 6.1-based kernels, including some Android phones such as the Pixel 8, are not, because the bug arrived in 6.4. A Bad Year for the Linux Kernel Bad Epoll joins a well-known family of kernel bugs used to root Android, following earlier entries called Bad Binder, Bad IO_uring, and Bad Spin. It also lands in a busy stretch for Linux privilege flaws, though most of the recent ones work differently. Copy Fail (CVE-2026-31431) landed in April and is now on CISA's Known Exploited Vulnerabilities list. The Dirty Frag chain, Fragnesia, DirtyClone, pedit COW came after it. Both are deterministic page-cache-write bugs, like Dirty Pipe (2022), with no race to win, which makes them far more reliable to run. Bad Epoll is the older, harder kind: a race you have to win, like Dirty Cow (2016). A public proof-of-concept has also appeared for CVE-2026-31694, a separate flaw in the kernel's FUSE filesystem code, found by the AI-driven research firm Bynario. A local user with FUSE access can feed the kernel a malicious filesystem and corrupt memory. Depending on the setup, that can mean root access, data leaks, or a crash. Because that access is common in containers and user namespaces, it lands more as a server and container risk than a phone one. Bynario is not the only one. Mythos also found and exploited a 17-year-old remote code execution bug in FreeBSD's NFS server (CVE-2026-4747), and Anthropic researchers have used its models to surface other kernel flaws. Bad Epoll is a useful counterpoint. It shows that race conditions are hard at every stage: hard to find, even for a leading AI; hard to fix, since the first patch fell short and a correct one took about two months; and hard to exploit, through a window only six instructions wide. For now, the bug an AI walks past is still the one a person has to catch. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE Tweet Share Share Share SHARE Android, Chrome Sandbox, kernelCTF, linux, privilege escalation ⚡ Top Stories This Week ThreatsDay: AI Compute Hijacking, Apple Email Flaw, BlueHammer Ransomware + 14 Stories Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs New Linux pedit COW Exploit Enables Root Access by Poisoning Cached Binaries OpenAI Previews GPT-5.6 Sol With Restricted Access and Stronger Cyber Safeguards FBI Warns Russian Intelligence Hackers Target Signal Backup Recovery Keys Public PoC Released for Critical libssh2 CVE-2026-55200 Client-Side SSH Flaw Microsoft Removes 119 Edge Extensions That Hid Malware in Images and Fonts ⚡ Weekly Recap: Linux Kernel Flaws, AI Malware Tricks, Turla Backdoor, Infostealers and More Mustang Panda Uses Zoho WorkDrive as Command Channel in Indian Government Attacks WhatsApp is Finally Getting Usernames to Help Keep Phone Numbers Private Oracle E-Business Suite Flaw CVE-2026-46817 Actively Exploited in the Wild New BioShocking Attack Tricks AI Browsers Into Leaking User Credentials AirDrop and Quick Share Flaws Let Nearby Attackers Trigger Crashes and Bypass Checks 282 iOS AI Apps Leak API Keys and Open AI Proxy Access in Network Traffic Study GuardFall Exposes Open-Source AI Coding Agents to Decades-Old Shell Injection Risks Microsoft Warns Poisoned MCP Tool Descriptions Can Make AI Agents Leak Data RustDuck Botnet Rebuilds in Rust to Hijack Routers and Servers for DDoS ⭐ Featured Resources What 200+ Security Teams Reveal About Using IP Intelligence in 2026 Get Hands-On SANS Training for Today’s Cyber Defense and Offensive Security Challenges See What’s Really Exposed Across Your IT, OT, IoT, Cloud, and Mobile Assets Get Gartner’s Guide to AI Agent Supervision and Runtime Controls
Indicators of Compromise
- cve — CVE-2026-46242
- cve — CVE-2026-43074
- cve — CVE-2026-31431
- cve — CVE-2026-31694