Linux Kernel 'Bad Epoll' Flaw Allows Unprivileged Users Root Access, Affects Android
A critical use-after-free vulnerability in the Linux kernel, dubbed 'Bad Epoll' (CVE-2026-46242), enables unprivileged users to escalate privileges to root, impacting Linux systems, servers, and Android devices.

A critical vulnerability discovered in the Linux kernel, identified as CVE-2026-46242 and nicknamed 'Bad Epoll,' presents a significant privilege escalation risk. This flaw allows an unprivileged user to gain complete control of a system as the root user. The vulnerability affects a wide range of systems, including Linux desktops, servers, and Android devices. Fortunately, a patch has been released to address the issue.
Interestingly, 'Bad Epoll' resides in the same small segment of kernel code where an AI model, Anthropic's Mythos, previously identified a different vulnerability. While the AI model successfully found one flaw, it appears to have missed this sibling bug, which was subsequently discovered by researcher Jaeyoung Chung, who also developed a working exploit.
The 'Bad Epoll' vulnerability is a use-after-free flaw. It occurs when two distinct parts of the kernel attempt to deallocate the same internal memory object concurrently. One part frees the memory while the other is still attempting to write data to it. This brief race condition allows an attacker to corrupt kernel memory, which can then be leveraged to escalate privileges from a standard user account to root.
The exploit's effectiveness hinges on precise timing, as the window for the race condition is extremely narrow, reportedly only about six machine instructions wide. This makes random exploitation highly improbable. Chung's exploit ingeniously widens this timing window and employs a retry mechanism that avoids crashing the system, achieving root access with a high success rate, estimated at 99% on tested systems.
Two key factors make this vulnerability particularly dangerous. Firstly, Chung's exploit can be triggered from within Chrome's renderer sandbox, a security boundary that typically prevents exploitation of most other kernel bugs. Secondly, the vulnerability is exploitable on Android devices, a capability that many Linux privilege escalation bugs lack. Chung submitted the flaw as a zero-day to Google's kernelCTF program, and detailed technical information is available in his public write-up.
As of this writing, there is no evidence to suggest that 'Bad Epoll' has been exploited in the wild. It is not currently listed on the CISA's Known Exploited Vulnerabilities (KEV) list, and the only publicly available exploit code is the proof-of-concept developed for the kernelCTF competition. An exploit specifically for Android is reportedly still under development.
The vulnerability traces back to a single code change made to the epoll subsystem in 2023. The first bug found by the AI, CVE-2026-43074, was fixed earlier in 2026. The difficulty in finding 'Bad Epoll' might stem from its tiny timing window and the lack of significant runtime evidence, as it often bypasses kernel bug detectors like KASAN. Since epoll is a fundamental component and cannot be disabled, users must apply the upstream commit a6dc643c6931 or install their distribution's patched kernel version. Kernels version 6.4 and newer are affected unless patched, while some older kernels, including those used in certain Android phones like the Pixel 8, are not vulnerable due to the bug's introduction in kernel 6.4.
'Bad Epoll' joins a lineage of Linux kernel vulnerabilities targeting privilege escalation, including 'Bad Binder,' 'Bad IO_uring,' and 'Bad Spin,' which have historically affected Android. It also arrives during a period of heightened activity for Linux privilege flaws, though many recent ones operate differently. Vulnerabilities like 'Copy Fail' (CVE-2026-31431) and the 'Dirty Frag' chain have been more deterministic. 'Bad Epoll,' however, represents the older, more challenging category of race-condition bugs, akin to 'Dirty Cow' (2016). Another recent flaw, CVE-2026-31694 in the FUSE filesystem, also discovered via AI, poses a risk to servers and containers. The discovery and exploitation of 'Bad Epoll' highlight the persistent challenges in finding, fixing, and exploiting complex race-condition vulnerabilities, even with advanced AI assistance.