New Linux Vulnerability “Bad Epoll” (CVE-2026-46242) Risks Root Access on Desktops, Servers, and Android Devices
A newly discovered vulnerability in the Linux kernel, designated as Bad Epoll (CVE-2026-46242), presents a serious threat by enabling unauthorized users to obtain root access on systems that operate Linux desktops, servers, and Android devices. Although a patch has been released to address this flaw, its potential impact is extensive.
Understanding the Vulnerability
The Bad Epoll vulnerability is located in a crucial section of the kernel code. This flaw is reminiscent of a previous bug identified by Anthropic’s AI model, Mythos. While Mythos successfully detected one vulnerability, it failed to recognize this particular issue, which was later uncovered by researcher Jaeyoung Chung, who also created an exploit for it.
Epoll is a vital feature in Linux that allows applications to monitor multiple files or network connections at once. It is extensively used by servers, network services, and web browsers, making it a core component of the Linux ecosystem. Disabling epoll is not a viable solution, complicating mitigation strategies.
This vulnerability is classified as a “use-after-free” bug, which occurs when two components of the kernel attempt to free the same internal object simultaneously. One component releases the memory while the other continues to write to it, creating a narrow window of opportunity for an attacker to corrupt kernel memory and escalate privileges from a standard user account to root.
The timing of the exploit is crucial; the collision window is approximately six machine instructions wide. Random attempts to exploit this flaw are unlikely to succeed. However, Chung’s exploit effectively extends this window, allowing successful root access in about 99% of tested scenarios.
Implications of the Flaw
The Bad Epoll vulnerability raises significant concerns for two primary reasons. First, it can be triggered from within Chrome’s renderer sandbox, which typically offers protection against many kernel vulnerabilities. Second, it affects Android, a platform generally insulated from such privilege escalation bugs.
Chung reported the flaw as a zero-day to Google’s kernelCTF program, and detailed technical information is available in his public writeup. Currently, there is no evidence that this vulnerability has been exploited in real-world attacks, nor is it listed on CISA’s Known Exploited Vulnerabilities list. The only existing code for this exploit is a proof of concept submitted to kernelCTF, with an Android version still under development.
Both the Bad Epoll vulnerability and the earlier bug identified by Mythos trace back to a single modification in the epoll code made in 2023. Chung noted that Mythos had previously identified the first bug, now tracked as CVE-2026-43074, which received a fix earlier in 2026.
The Challenge of Detection
Chung speculated on the reasons behind the AI model’s failure to detect this sibling flaw. He pointed to two main factors: the extremely small timing window makes it challenging to visualize the sequence of events, and there is often minimal runtime evidence to indicate a problem. Once the initial bug is patched, the memory error associated with Bad Epoll typically does not trigger KASAN, the kernel’s primary bug detection system, leaving no alerts to signal an issue.
Since epoll cannot be disabled, the only recourse is to apply the upstream commit a6dc643c6931 or to install a backport from the distribution once it becomes available. Kernels based on version 6.4 or newer are vulnerable unless they have already been patched. Older kernels, particularly those based on version 6.1, including some Android devices like the Pixel 8, are not affected since the bug was introduced in version 6.4.
A Troubling Trend for Linux Security
The emergence of Bad Epoll adds to a concerning list of kernel vulnerabilities that have been exploited to gain root access on Android devices, including previously identified issues such as Bad Binder, Bad IO_uring, and Bad Spin. This vulnerability arises during a period marked by an increase in Linux privilege escalation flaws, although many of these recent vulnerabilities operate under different mechanisms.
For example, the Copy Fail vulnerability (CVE-2026-31431), identified in April, is now included in CISA’s Known Exploited Vulnerabilities list. Other vulnerabilities, such as the Dirty Frag chain, Fragnesia, DirtyClone, and pedit COW, have also emerged in recent months.
Unlike these deterministic page-cache-write bugs, which do not involve a race condition, Bad Epoll represents an older, more complex type of vulnerability that requires winning a race condition, similar to the infamous Dirty Cow exploit from 2016.
Additionally, a public proof-of-concept has emerged for CVE-2026-31694, another vulnerability in the kernel’s FUSE filesystem code, discovered by the AI-driven research firm Bynario. This flaw allows a local user with FUSE access to introduce a malicious filesystem to the kernel, potentially leading to root access, data leaks, or system crashes.
For ongoing coverage and breaking updates, visit our Latest News section.
Published on 2026-07-06 09:08:00 • By the Editorial Desk

