Security researchers have disclosed a critical vulnerability in the Linux kernel that can be exploited by a local, unprivileged user to seize full root control of affected systems. The flaw, officially designated CVE-2026-46242 and dubbed “Bad Epoll,” resides in the operating system’s core event-polling subsystem and has been verified across Linux desktops, servers, and Android devices. A corrective patch is already available upstream.
The Nature of the Race Condition
The bug is a use-after-free vulnerability within the epoll subsystem, a fundamental component that allows applications to efficiently monitor multiple file descriptors and network connections simultaneously. Because epoll is integral to the performance of web servers, browsers, and network services, it cannot be disabled as a mitigation measure. The issue arises from a race condition in which two kernel execution paths attempt to clean up the same internal data structure concurrently. One path frees the object’s memory while the other continues to write to it, creating a narrow collision window that corrupts kernel memory and enables privilege escalation from a standard user account to root.
The exploitation window is extraordinarily tight—spanning approximately six machine instructions—which makes reliable attacks difficult under normal circumstances. However, researcher Jaeyoung Chung, who discovered and disclosed the flaw, developed an exploit that systematically widens this window and retries without crashing the target. In testing, the proof-of-concept achieved root access with roughly 99% reliability. Two attributes magnify the flaw’s severity: according to Chung, the attack can be staged from within Chrome’s renderer sandbox, and the vulnerability extends to Android, a platform that many Linux kernel bugs do not reach.
A Blind Spot for Automated Discovery
The vulnerability’s origins trace back to a code change introduced in 2023 within a compact 2,500-line segment of epoll logic. That same code region had recently been scrutinized by Mythos, an artificial intelligence model developed by Anthropic, which successfully identified and reported one of the two overlapping race conditions as CVE-2026-43074. That earlier finding was a genuine success, as concurrency bugs are notoriously difficult to detect. Yet the model missed Bad Epoll entirely, leaving the second, more dangerous race condition for a human researcher to uncover and weaponize.
Chung offers two plausible explanations for this gap without settling on either. The timing window is so minute that the precise instruction sequence becomes extremely difficult to infer through static code analysis alone. Additionally, after the first flaw was patched, Bad Epoll no longer triggered the kernel’s memory error detector KASAN under normal conditions, depriving the model of the runtime crash traces on which it often depends. The episode illustrates a dual reality: AI tools are proving capable of surfacing sophisticated kernel bugs, yet subtle race conditions remain a challenging frontier.
Patching and Risk Assessment
All kernel versions from 6.4 onward are affected if they lack the upstream fix. Systems running the older Linux 6.1 branch—including certain Android devices such as the Pixel 8—are not vulnerable, because the faulty code was introduced only after that kernel generation. Chung has indicated that an Android-specific exploit is still under development. The immediate risk to end users is mitigated by several factors: there is no evidence of active exploitation in the wild, the only publicly available working code is the proof-of-concept submitted through Google’s kernelCTF program, and local access to the device is a prerequisite since the flaw cannot be triggered remotely.
Users who maintain their own kernels should apply upstream commit a6dc643c6931 directly. All other users are advised to wait for their Linux distribution’s official backported update and install it immediately upon release. Because epoll is a non-optional kernel facility, no configuration workaround exists; installing the patch is the sole remediation path.
Sources: github.com, red.anthropic.com, git.kernel.org