A recently found Linux kernel vulnerability called ‘Bad Epoll’ (CVE-2026-46242) allows an ordinary person without any special privilege to take complete command of a device as a root. This has impacted Linux systems, Android, and servers, and a patch is out to address the flaw.
Bad Epoll was discovered in the same kernel code where Anthropic’s famous AI model, Mythos, discovered another vulnerability.
The AI flagged one flaw but missed Bad Epoll. Expert Jaeyoung Chung discovered this one.
About Bad Epoll
Epoll is a Linux feature that allows a program to watch various network connections and files at once. You cannot switch it off as web browsers, network services, and servers, all rely on it.
The flaw is a ‘use-after-free’ bug, where two parts of the kernel clean up the same internal object at once. One cleans the memory while the other one writes it. This small friction allows hackers to attack kernel memory, then rise upward to root.
Detecting the bug
Timing is the catch. A random attempt nearly never lands in the window where the two pathways intersect since it is just roughly six machine instructions wide. On testing platforms, Chung's attack expands that window and tries again without crashing, achieving root roughly 99% of the time.
It is more serious since, according to his account, it can be triggered from within Chrome's renderer sandbox, which prevents nearly all other kernel problems, and it can reach Android, which is not possible with other Linux privilege bugs.
Chung sent the flaw as a zer0-day to Google’s kernelCTF program, and full details can be found on his Github. There are no indications that hackers have used it in real-time. At present, an android variant of compromise exists and the only working code is the kernelCTF PoC.
History of the bug
These two flaws go back to a single 2023 modification to the epoll code. According to Chung, Mythos discovered the first two, now labelled as CVE-2026-43074, with an early patch in 2026.
Additionally, Anthropic said that Mythos discovered linux kernel privilege-escalation bugs, but it did not relate the findings with Bad Epoll. Finding the first one was difficult as race-condition flaws are difficult to detect. But why did the AI miss the second flaw?
Chung offers two likely reasons:
Small timing window
Lack of evidence during runtime