Bad Epoll Flaw Grants Root Access on Linux and Android
CVE-2026-46242, dubbed Bad Epoll, lets unprivileged local users gain root via a race-condition bug in the Linux kernel's epoll subsystem; a patch is already out.
A newly disclosed Linux kernel vulnerability called Bad Epoll (CVE-2026-46242) lets an unprivileged local attacker gain full root access on Linux systems and Android devices. The bug is a classic use-after-free race condition in the kernel's epoll subsystem — heavily used by servers and browsers to manage network connections — where two kernel threads free the same object simultaneously, corrupting memory and enabling privilege escalation.
Researcher Jaeyoung Chung built a reliable proof-of-concept exploit that hits a race window only a few CPU instructions wide yet succeeds roughly 99% of the time on tested systems. Notably, the exploit can be triggered from within Chrome's renderer sandbox, raising the stakes for browser-based attacks, and a dedicated Android exploit is reportedly still in development. No in-the-wild exploitation has been observed so far.
A striking detail is that Bad Epoll traces back to the same 2023 commit that introduced another flaw, CVE-2026-43074, which Anthropic's Mythos AI model had previously discovered in the same code region. Mythos caught the first bug but missed this second, much narrower race condition — and once the first flaw was patched, Bad Epoll stopped triggering obvious KASAN warnings, making it harder still to detect.
Bad Epoll joins other recently disclosed Linux privilege-escalation flaws like Copy Fail, Dirty Frag, Fragnesia, and DirtyClone, but stands apart as an older-style, hard-to-find race condition rather than a deterministic bug. The case underscores both the promise and current limits of AI-assisted vulnerability research: frontier models can spot complex kernel bugs, yet subtle timing-dependent races still require human expertise to uncover.