New “Bad Epoll” Linux Kernel Flaw Allows Unprivileged Users to Gain Root, Hits Android

A recently disclosed Linux kernel bug called Wrong Epoll (CVE-2026-46242) allows a normal user without special access to fully control the machine as root. It affects Linux desktops, servers, and Android, and a fix is out.
Wrong Epoll resides in the same small area of kernel code that Anthropic’s most powerful AI model, Mythsrecently found a different bug.
The AI caught one error and missed this one. A researcher, Jaeyoung Chung, discovered it and developed an effective attack.
How the Bug Works
Epoll is a standard Linux feature that allows a program to monitor multiple files or network connections at the same time. Servers, network services, and web browsers all depend on it. You can’t just turn it off.
Bad Epoll is a “use after free” bug. Two kernel components try to clean up the same internal object at the same time. One is freeing memory while the other is still writing to it. That short conflict allows an attacker to corrupt the kernel’s memory, then ascend from the normal account to the top.
To hold time. The window where two paths collide is probably only six machine instructions long, so a random attempt will probably never fall into it. Chung’s exploit extends that window and tries again without crashing, reaching root about 99% of the time on systems tested.
Two things make it very dangerous: according to his account, it can be started inside the sandbox that Chrome provides, which blocks almost all other kernel bugs, and it can reach Android, which most Linux bugs can’t.
Chung posted this bug as a zero-day bug in Google’s kernelCTF program, and the full technical details are in his public write-up. There is no sign of it being used in an actual attack: as of this writing, it is not on the CISA Vulnerable Exploit List, and the only working code is the proof-of-concept kernelCTF. The Android version of the exploit is still in progress.
Both bugs trace back to a single 2023 change in the epoll code. Chung says Mythos found the first of the two, now tracked as CVE-2026-43074, where a fix arrived in early 2026.
Anthropic said separately that Mythos had discovered Linux kernel-escalation bugs, although it did not link that work to Bad Epoll. Getting the first one was the real deal, because race condition bugs are notoriously hard to spot.

So why did the same AI miss your sibling’s mistake? Chung offers two possible reasons and cautions that no one can be certain.
- First, the time window is small, so the sequence of events is hard to capture even if you’re staring at the code.
- Second, there is little evidence at work.
Once the initial bug is fixed, the Bad Epoll memory error usually does not trip KASAN, the kernel’s main bug detector, so there is nothing to flag that something is wrong.
Epoll cannot be closed, so there is no fix. Apply a6dc643c6931, or install your distribution’s backport when it arrives. Kernels built in 6.4 or newer are affected unless they already have a fix.
Older kernels based on 6.1, including some Android phones like the Pixel 8, are not, because the bug came in 6.4.
A Bad Year for the Linux Kernel
Bad Epoll joins the well-known family of kernel bugs used to derail Android, following previous entries called Bad Binder, Bad IO_uring, and Bad Spin.
It also sits in the busy area of Linux privilege errors, although most of the latter work differently. Copy Fail (CVE-2026-31431) arrived in April and is now on the CISA Vulnerable Exploit list. Chain Dirty Frag, Fragnesia, DirtyClone, pedit COW came after it.
Both are fixed cache-write bugs, like Dirty Pipe (2022), with no race to win, making them more reliable to run. Bad Epoll is an older, more difficult genre: a race to be won, like Dirty Cow (2016).
A public proof view has also appeared on CVE-2026-31694, a separate flaw in the FUSE kernel file system code, discovered by AI-driven research firm Bynario. A local user with FUSE access can feed the kernel a malicious file system and corrupted memory.
Depending on the setup, that could mean root access, data leaks, or crashes. Because that access is often to containers and user namespaces, it remains more like a server and container risk than a phone.
Bynario is not alone. Mythos also discovered and exploited a 17-year-old remote code execution bug in FreeBSD’s NFS server (CVE-2026-4747), and Anthropic researchers used its models to reveal other kernel flaws.
Bad Epoll is a useful point. It shows that the race conditions are difficult in all categories: hard to find, even with the best AI; which is difficult to fix, since the first piece was short and the right one took about two months; and difficult to use, with a window only six commands wide. For now, the passing AI bug is still one to catch.



