~/home/news/bad-epoll-cve-2026-46242-2026-07-07

Bad Epoll (CVE-2026-46242): Critical Linux/Android Root Escalation

A newly disclosed kernel flaw (CVE-2026-46242) in the epoll subsystem lets any unprivileged user gain root on Linux servers, desktops, and Android devices. The bug, uncovered by Anthropic’s AI model Mythos, can be chained from Chrome’s renderer sandbox for full kernel code execution.

Overview/Introduction

On July 4, 2026 the security community was rocked by the disclosure of a critical privilege-escalation bug in the Linux kernel known as “Bad Epoll.” Assigned CVE-2026-46242, the vulnerability lives in the kernel’s epoll subsystem - a core component used for high-performance I/O event notification on virtually every Linux distribution and Android device. Exploiting a race condition combined with a use-after-free (UAF), an attacker with ordinary user privileges can corrupt kernel memory and execute arbitrary code with root privileges.

What makes Bad Epoll especially dangerous is its reach: the flaw can be triggered from inside Google Chrome’s renderer sandbox, meaning a remote-code-execution exploit in the browser can be chained to a full kernel compromise. The discovery was credited to Anthropic’s AI model Mythos, underscoring how advanced machine-learning tools are now capable of finding subtle kernel bugs that have eluded human researchers for years.

Technical Details (CVE, attack vector, exploitation method)

CVE-2026-46242 is a classic race-condition/UAF bug in the function ep_remove(). The kernel clears file->f_ep under file->f_lock but continues to use the same struct file while performing hlist_del_rcu() and spin_unlock(). A concurrent call to __fput() can see a transient NULL pointer, skip the normal eventpoll_release_file() cleanup, and jump straight to f_op->release. This releases the watched struct eventpoll while it is still referenced, creating a classic use-after-free.

Because struct file objects are allocated from a SLAB_TYPESAFE_BY_RCU cache, the freed slot can be recycled by alloc_empty_file(). An attacker can then force a kmem_cache_free() against the wrong slab cache, corrupting adjacent kernel structures and eventually hijacking control flow.

The exploit chain developed by researcher Jaeyoung Chung (who originally submitted the zero-day to Google’s kernelCTF program) works as follows:

  • Trigger the race window - a handful of CPU instructions - by rapidly opening and closing epoll file descriptors from multiple threads.
  • Use a retry loop that repeatedly attempts the critical sequence without crashing the kernel, achieving ~99% reliability on tested kernels.
  • Leverage the corrupted memory to overwrite a function pointer in struct file_operations, redirecting execution to a user-controlled payload.
  • Escalate to root by executing a commit_creds(prepare_kernel_cred(0)) sequence.

When the vulnerability is combined with a Chrome renderer sandbox escape (e.g., a typical use-after-free or type-confusion in Blink), an attacker can launch the Bad Epoll exploit from within the sandbox, bypass the user-space isolation, and gain kernel-level code execution on any system running a vulnerable Chrome version.

Impact Analysis (who is affected, how severe)

The bug is present in the mainline Linux kernel series from 5.15 onward, meaning it affects a broad swath of operating systems:

  • Enterprise Linux servers (RHEL, CentOS, Ubuntu Server, Debian, SUSE, etc.)
  • Desktop distributions (Ubuntu, Fedora, Arch, Mint, Pop!_OS, etc.)
  • Android smartphones and tablets running kernel versions 5.15-6.6, which includes the majority of devices shipped in the last three years.
  • Any environment that runs a vulnerable version of Google Chrome (or Chromium-based browsers) where the renderer sandbox can reach the kernel.

Because epoll is a core kernel facility that cannot be disabled, mitigation options are limited to patching. The vulnerability grants root on servers, allowing attackers to install backdoors, exfiltrate data, and pivot laterally. On Android, an attacker can obtain full device control, bypassing Play Protect and any device-management solutions.

Timeline of Events

  • Early 2023 - A kernel commit introduces two new race windows in the epoll code path.
  • May 2024 - Anthropic’s AI model Mythos discovers CVE-2026-43074, the first of the two race conditions.
  • June 2025 - Mythos flags the second, narrower race condition but fails to generate a reliable exploit due to the minimal timing window.
  • March 2026 - Researcher Jaeyoung Chung independently discovers the exploitable UAF (later assigned CVE-2026-46242) and submits a zero-day to Google’s kernelCTF bounty program.
  • July 4, 2026 - Public disclosure via CyberSecurityNews and coordinated release of patches by major Linux distributors.
  • July 6, 2026 - Additional analysis reveals Chrome renderer sandbox reachability, prompting browsers to push emergency updates.

Mitigation/Recommendations

Immediate actions for administrators and end-users:

  1. Patch the kernel. All major distributions have released updates (e.g., Linux 5.15.157, 6.1.80, 6.6.31). Apply the latest security patches within 24 hours.
  2. Update Chrome/Chromium. Versions 119.0.6045.123 and later include a mitigation that disables the vulnerable epoll path from the renderer sandbox.
  3. Restrict unprivileged user access to epoll. Where feasible, use sysctl kernel.unprivileged_bpf_disabled=1 and consider sandboxing untrusted workloads with containers that employ seccomp profiles blocking epoll_create and related syscalls.
  4. Enable kernel hardening features. Activate CONFIG_DEBUG_KMEMLEAK and CONFIG_KASAN on development systems to increase visibility of UAF conditions.
  5. Monitor for exploitation attempts. Look for unusual spikes in epoll_ctl failures, high rates of SIGSEGV in privileged processes, and sudden creation of /dev/mem or /proc/kallsyms reads.

For Android device manufacturers, ship the patched kernel as part of OTA updates and enforce Play Protect policies that block apps attempting to use native epoll syscalls in a suspicious manner.

Real-World Impact (how this affects organizations/individuals)

Enterprises running unpatched Linux servers risk a remote attacker turning a low-privilege foothold-such as a compromised web application or a malicious insider-into full root control. This could lead to ransomware deployment, credential theft, and long-term persistence via kernel-level rootkits.

On the consumer side, Android users with outdated devices could see their phones turned into surveillance platforms. Malicious apps could silently leverage a Chrome exploit to break out of the sandbox, trigger Bad Epoll, and gain system-wide control, potentially stealing SMS, contacts, and banking credentials.

Given the prevalence of Chrome as the default browser on both Linux desktops and Android, the attack surface is larger than most traditional kernel bugs. Organizations that enforce strict browser whitelisting and sandbox hardening will see a lower risk, but the sheer ubiquity of the vulnerable component makes rapid patch deployment essential.

Expert Opinion

Bad Epoll is a watershed moment for several reasons. First, it demonstrates that AI-driven research can uncover deep, timing-sensitive kernel bugs that were previously thought to be the exclusive domain of seasoned kernel developers. While Mythos initially missed the narrow race window, its identification of the broader code-path issue paved the way for human researchers to focus their analysis and eventually produce a reliable exploit.

Second, the convergence of a kernel privilege-escalation bug with a browser sandbox escape illustrates the growing need for holistic, cross-layer security assessments. Traditional patch-management processes will no longer be sufficient; organizations must adopt continuous monitoring that correlates user-space exploit activity with kernel-level anomalies.

Finally, the fact that Bad Epoll affects Android highlights the blurring line between server-grade and mobile security. Mobile device management (MDM) solutions must evolve to include kernel-level threat intelligence, not just application-level controls.

In short, the Bad Epoll incident should serve as a wake-up call: the security community must embrace AI-assisted vulnerability discovery, accelerate coordinated patch cycles, and adopt defense-in-depth strategies that span from the browser sandbox to the kernel core.