Vulnerability Details
A serious zero-day vulnerability in the Linux kernel’s epoll subsystem, tracked as CVE-2026-46242, allows any unprivileged local user to gain full root access. The flaw, named “Bad Epoll” by researchers, is a use-after-free bug triggered by a race condition in the kernel’s event notification mechanism. The issue stems from a 2023 kernel code change that introduced two separate race conditions into the same code path. While an AI-powered tool from Anthropic named Mythos discovered the first flaw (CVE-2026-43074), Bad Epoll proved more elusive due to its narrow timing window and minimal runtime artifacts that evade the kernel’s KASAN memory error detector.
Attack Mechanism and Impact
Researcher Jaeyoung Chung submitted the working exploit to Google’s kernelCTF program, which rewards up to $71,337 for functional Linux kernel exploits. The attack uses four epoll structures in pairs to widen the exploit window, achieving roughly 99% reliability on tested systems. Unlike many privilege escalation bugs, Bad Epoll also affects Android devices because epoll is a core kernel component that cannot be disabled or unloaded. The vulnerability is reachable from within Chrome’s renderer sandbox, meaning an attacker could chain a browser exploit with Bad Epoll for full kernel code execution. No workaround exists, and administrators must apply the upstream patch or await distribution specific backports.
Source: Cyber Security News
