Full Report
A newly disclosed Linux kernel flaw called Bad Epoll (CVE-2026-46242) lets an ordinary user with no special access take full control of a machine as root. It affects Linux desktops, servers, and Android, and a fix is out. Bad Epoll sits in the same small stretch of kernel code where Anthropic's most powerful AI model, Mythos, recently found a different bug. The AI caught one flaw and missed
Analysis Summary
# Vulnerability: "Bad Epoll" Local Privilege Escalation
## CVE Details
- **CVE ID:** CVE-2026-46242
- **CVSS Score:** Not explicitly listed (Estimated High/Critical based on Root impact)
- **CWE:** CWE-416 (Use-After-Free)
## Affected Systems
- **Products:** Linux Kernel (Desktop, Server, and Android)
- **Versions:** Linux Kernel versions 6.4 and newer.
- **Configurations:** Systems running kernels derived from a specific 2023 `epoll` code change. Note: Older 6.1-based kernels (e.g., Pixel 8) are **not** affected.
## Vulnerability Description
Bad Epoll is a **use-after-free (UAF)** race condition within the Linux kernel’s `epoll` subsystem—a feature used to monitor multiple file descriptors. The flaw occurs when two kernel execution paths attempt to clean up the same internal object simultaneously. While one path frees the memory, the other continues to write to it. This allows an unprivileged user to corrupt kernel memory and escalate privileges to **root**.
The race window is extremely narrow (approximately six machine instructions), making it difficult to trigger accidentally. However, specialized exploitation techniques can "widen" this window to achieve high reliability.
## Exploitation
- **Status:** PoC available (Submitted to Google's kernelCTF; Android PoC in progress)
- **Complexity:** High (Requires precise timing to win a race condition)
- **Attack Vector:** Local (Can reportedly be triggered from within the **Chrome renderer sandbox**)
## Impact
- **Confidentiality:** High (Full system compromise / Root access)
- **Integrity:** High (Full system compromise / Root access)
- **Availability:** High (Kernel memory corruption can lead to system crashes)
## Remediation
### Patches
- **Upstream Linux Kernel:** Apply commit `a6dc643c69311677c574a0f17a3f4d66a5f3744b`.
- **Distributions:** Update to the latest stable/long-term kernels provided by your OS vendor (e.g., Ubuntu, Debian, Red Hat).
### Workarounds
- **None:** `epoll` is a core kernel functionality required by most modern services and web browsers and cannot be disabled.
## Detection
- **Indicators of Compromise:** Unusual local privilege escalation attempts; unexpected root shells spawned by unprivileged service accounts or sandboxed processes (like Chrome).
- **Detection Methods and Tools:**
- Monitor for kernel oops or crashes that may indicate failed exploitation attempts.
- Use auditd to track unauthorized `setuid` calls or unexpected changes to system binaries.
- Note: This bug typically does **not** trip KASAN (Kernel Address Sanitizer) after the sibling bug (CVE-2026-43074) is patched.
## References
- **KernelCTF Submission:** [https://github[.]com/J-jaeyoung/bad-epoll]
- **Upstream Commit:** [https://git[.]kernel[.]org/stable/c/a6dc643c69311677c574a0f17a3f4d66a5f3744b]
- **Anthropic Research:** [https://red[.]anthropic[.]com/2026/mythos-preview/]
- **News Source:** [https://thehackernews[.]com/2026/07/new-bad-epoll-linux-kernel-flaw-lets.html]