- A critical Linux kernel flaw, Bad Epoll (CVE-2026-46242), allows a standard user to gain full root control on desktops, servers, and Android.
- The exploit leverages a narrow “use-after-free” race condition, which Anthropic‘s Mythos AI model missed after finding a sibling bug in the same code.
- Researcher Jaeyoung Chung developed a reliable exploit, submitted it as a zero-day, and detailed the attack in a public writeup.
- The bug stems from a 2023 code change and requires applying a specific upstream patch, as there is no workaround.
A newly disclosed Linux kernel flaw, discovered by researcher Jaeyoung Chung and dubbed Bad Epoll, lets ordinary users take complete root control of affected systems. This critical vulnerability, tracked as CVE-2026-46242, impacts Linux desktops, servers, and Android devices where a fix is now available.
Bad Epoll is a “use-after-free” race condition bug within the essential epoll subsystem. Consequently, an attacker can corrupt kernel memory to escalate privileges from a normal account to root. The exploit’s timing window is notoriously narrow, only about six machine instructions wide.
However, Chung’s proof-of-concept widens this window and achieves root access about 99% of the time. The bug is particularly dangerous as it can reportedly be triggered from within Chrome’s renderer sandbox and can reach Android. Chung submitted the flaw as a zero-day to Google’s kernelCTF program, with technical details in his public writeup.
This bug resides in the same kernel code where Anthropic‘s AI model, Mythos, recently found a different vulnerability, CVE-2026-43074. Anthropic has separately stated Mythos found Linux kernel privilege-escalation bugs, though it has not publicly linked that work to Bad Epoll.
Meanwhile, the flaw joins a family of similar Android-rooting bugs like Bad Binder and Bad IO_uring. It also arrives during a busy period for Linux privilege escalations, including Copy Fail (CVE-2026-31431) which is now on CISA’s Known Exploited Vulnerabilities list. A separate FUSE filesystem bug, CVE-2026-31694, also has a public proof-of-concept.
Bynario found the FUSE flaw, while Mythos also discovered and exploited a 17-year-old remote code execution bug in FreeBSD’s NFS server (CVE-2026-4747). Ultimately, Bad Epoll highlights the persistent difficulty of finding and fixing complex race conditions, even for advanced AI. For now, users must apply the upstream commit a6dc643c6931 or their distribution’s security update.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
