threat-wire

New Bad Epoll Flaw Turns Any Linux User Into Root

A newly disclosed Linux kernel bug called Bad Epoll lets a normal user account jump straight to root, and it works on desktops, servers, and some Android phones. A public proof-of-concept reaches root about 99% of the time on tested systems, though there's no sign yet that real attackers have picked it up. A patch exists, but epoll can't simply be switched off.

By SecureBusinessHub Editorial, International cybersecurity desk — · 5 min read

A Linux kernel bug called Bad Epoll lets an ordinary user account, no admin rights, no special access, take full control of a machine as root. It reaches desktops, servers, and Android phones, and the working exploit code is already public.

2023: the code that started it

The story starts three years back, with a change made to epoll, the standard Linux feature that lets a program watch many files or network connections at once. Web servers, proxies, and browsers all lean on it, and you can't turn it off. That 2023 change quietly introduced a timing flaw that nobody caught.

Early 2026: an AI catches half the bug

Anthropic's Mythos model, working through the same stretch of kernel code, found one flaw tied to that change. It got a CVE number, CVE-2026-43074, and a fix went out earlier this year. Race-condition bugs are notoriously hard to spot, so catching it was a real result.

The flaw the AI walked past

Mythos missed a second, related bug in the same code. Researcher Jaeyoung Chung found it by hand and built a working exploit. Bad Epoll (CVE-2026-46242) is a use-after-free: two parts of the kernel try to clean up the same object at once, one frees the memory while the other is still writing to it, and that split-second collision lets an attacker corrupt kernel memory and climb to root.

  • The timing window where the bug can be triggered is only about six machine instructions wide, yet Chung's exploit widens it and retries without crashing, reaching root roughly 99% of the time on tested systems
  • It can reportedly be triggered from inside Chrome's renderer sandbox, a barrier that blocks almost every other kernel bug
  • It reaches Android, which most Linux privilege-escalation bugs cannot
  • Once the first related bug (CVE-2026-43074) is patched, Bad Epoll's memory error typically doesn't trip KASAN, the kernel's main bug detector, so nothing flags it

Are you exposed?

  • Run "uname -r" on any Linux server, workstation, or appliance you manage. Kernels built on 6.4 or newer are affected unless the fix is already applied
  • Older 6.1-based kernels, including some Android phones such as the Pixel 8, are not affected, since the flaw arrived with 6.4
  • Ask your Linux distribution or cloud host whether upstream commit a6dc643c6931 has been backported yet, rather than assuming a recent update covers it
  • For Android fleets, confirm devices are on the current monthly security patch level once Google ships the Android-specific fix, which was still in progress at time of writing

No workaround, only a patch

There's no sign Bad Epoll has been used in a real attack. It isn't on CISA's Known Exploited Vulnerabilities list, and the only public exploit is Chung's research code on GitHub. That said, epoll can't be disabled, so the only real fix is applying the patch or your distribution's backport once it lands.

A bug an AI walks past is still the one a person has to catch.