CVE-2026-46242 lets an ordinary user with no special access take full control of a machine as root — and it can reach Android devices as well. A working exploit and an upstream fix now exist, but the path from discovery to patch underlines how small timing windows and weak runtime signals can let serious kernel races slip past even advanced tools.
How Bad Epoll (CVE-2026-46242) works
Bad Epoll is a use-after-free race in the Linux kernel's epoll code. Epoll is the kernel mechanism programs use to watch many files or network connections at once; it is widely used by servers, network services, and web browsers and cannot be turned off. Two kernel paths can attempt to clean up the same internal object concurrently: one path frees the object's memory while the other continues writing into it. That brief overlap lets an attacker corrupt kernel memory and escalate from a normal account to root.
The timing window is extremely narrow — on the order of six machine instructions — so a naive attempt almost never wins the race. Researcher Jaeyoung Chung built an exploit that widens that window and retries without crashing, achieving root about 99% of the time on tested systems. By Chung’s account, the exploit can be triggered from inside Chrome’s renderer sandbox and can also reach Android, increasing the practical danger compared with many other Linux privilege bugs.
Jaeyoung Chung, the kernelCTF proof-of-concept, and the patch
Chung submitted the flaw as a zero-day to Google’s kernelCTF program; his full technical writeup and a proof-of-concept are public. As of this writing, there is no sign Bad Epoll has been used in real-world attacks: it is not on CISA’s Known Exploited Vulnerabilities list, and the only working code is the kernelCTF proof-of-concept. An Android-specific exploit is still in progress.
The upstream fix is available as commit a6dc643c6931; distributions are expected to ship backports. Kernels built on 6.4 or newer are affected unless they have already received the fix. Older 6.1-based kernels are not affected — the source specifically notes that some Android phones, including the Pixel 8, run 6.1-based kernels and are therefore not vulnerable to this bug because the problematic change arrived in 6.4. There is no workaround: epoll cannot be disabled.
Why an AI that found a sibling bug missed this one
Bad Epoll sits in the same small stretch of code where Anthropic’s AI model Mythos recently found a different bug, tracked as CVE-2026-43074; that first bug was fixed earlier in 2026. Anthropic has said Mythos found Linux kernel privilege-escalation bugs in its research, though it has not publicly tied that work to Bad Epoll.
Chung offers two likely reasons Mythos missed this sibling flaw: the timing window is tiny, making the exact sequence of events hard to picture from code alone, and there is little evidence at runtime. Once the first bug is patched, Bad Epoll’s memory error typically does not trip KASAN, the kernel’s main runtime bug detector, so the race can leave few observable traces.
Bad Epoll in the context of recent kernel vulnerabilities
Bad Epoll joins a lineage of local Linux kernel bugs that have been used to root Android: earlier names in this family include Bad Binder, Bad IO_uring, and Bad Spin. It also arrives amid a busy period for Linux privilege flaws. Copy Fail (CVE-2026-31431) landed in April and is already on CISA’s Known Exploited Vulnerabilities list. Subsequent entries mentioned by the source include the Dirty Frag chain, Fragnesia, DirtyClone, and pedit COW — many of which are deterministic page-cache-write bugs similar to Dirty Pipe (2022). By contrast, Bad Epoll is a race-condition exploit in the older, harder-to-win category, compared explicitly to Dirty Cow (2016).
Separately, a public proof-of-concept has appeared for CVE-2026-31694, a FUSE filesystem flaw found by the AI-driven firm Bynario; a local user with FUSE access can corrupt kernel memory and, depending on configuration, could gain root, leak data, or crash systems — a risk that surfaces especially for servers and containers where FUSE and user namespaces are common. Anthropic’s Mythos also found a 17-year-old FreeBSD NFS server remote code execution bug tracked as CVE-2026-4747.
What this means for security teams, Android users, and browser vendors
- Security teams and Linux maintainers: apply upstream commit a6dc643c6931 or install distribution backports when they arrive. Because epoll cannot be disabled, patching is the required mitigation; monitor distribution advisories for backports to affected 6.4+ kernels.
- Android users and device vendors: some Android devices run affected kernels; others on 6.1-based kernels such as certain Pixel 8 phones are not vulnerable to this change. Vendors should prioritize delivering kernel updates and users should install official OS/security updates when available.
- Browser vendors (notably those shipping Chrome’s renderer): the exploit can be triggered from inside Chrome’s renderer sandbox, so sandbox hardening and rapid patching of both kernel and browser components are relevant to reducing exposure.
Bad Epoll is a reminder that race conditions remain both subtle and consequential: they can be hard to find automatically, hard to observe at runtime, and — when successfully exploited — powerful enough to hand an ordinary user full root privileges. The technical fix is published; the practical question now is how quickly distributors, vendors, and users move to deploy it before an exploit leaves the labs and appears in the wild.
https://thehackernews.com/2026/07/new-bad-epoll-linux-kernel-flaw-lets.html




