Dateline: July 6, 2026
Bad Epoll Explained: The Zero-Day That Even an AI Model Missed
A security researcher just showed that any regular user on a Linux machine can seize full root control without needing any special permissions. The flaw is called Bad Epoll. It affects Linux desktops, servers, and Android devices running kernel version 6.4 or newer. There is no workaround. A patch and a reboot are the only way out.
What Happened?
Researcher Jaeyoung Chung from CompSec Lab discovered and exploited a zero-day in the Linux kernel’s epoll subsystem, the part of the kernel that handles input and output event notifications for virtually every high-performance server and application. The flaw is tracked as CVE-2026-46242.
Chung submitted it as a zero-day to Google’s kernelCTF program, which pays $71,337 or more for working Linux kernel exploits. The vulnerability was first reported to [email protected] on February 17, 2026. Maintainers’ first patch attempt was incomplete. The correct fix only landed on April 24, 2026, more than two months after initial disclosure.
One notable detail: Anthropic’s AI model Mythos examined the same area of epoll code and found a nearby race bug (CVE-2026-43074), but missed Bad Epoll entirely. The researcher points to two likely reasons: the race window is only about six instructions wide, and the bug leaves very little evidence in kernel memory-error detection tools, making it hard to spot even for a frontier AI model.
What Is the Impact?
Bad Epoll is a race-condition use-after-free flaw. Two of epoll’s close paths run at the same time and collide. One frees an object while the other is still writing into it. From there, an attacker gains control over a kernel file object, reads arbitrary memory, and executes a ROP chain that spawns a root shell. Three things make this particularly serious:
No kill-switch. Epoll is a core kernel feature that cannot be disabled or unloaded. The only fix is to apply the patch.
It can be triggered from inside Chrome’s renderer sandbox. Most kernel bugs cannot reach through Chrome’s sandbox. Bad Epoll can, which opens the door to chaining a renderer exploit with Bad Epoll to reach kernel code execution.
It can root Android. Out of roughly 130 vulnerabilities ever exploited on Google’s kernelCTF, only about 10 are candidates for rooting Android. Bad Epoll is one of them. A full Android exploit targeting the Pixel 10 is already in progress.
The exploit runs at 99% reliability on tested targets, not because the race window is wide (it is only six instructions), but because the researcher built a technique to widen it using four linked epoll objects that never crashes the kernel mid-attack.
How to Avoid This
- Run uname -r to check your kernel version. Systems on v6.4 or newer without the backported fix are vulnerable. Older v6.1-based kernels, including Pixel 8 devices, are not affected.
- Apply the upstream fix (commit a6dc643c6931) or your distribution’s backport. Ubuntu, Debian, Red Hat, and SUSE are rolling out patches now. Apply as soon as your distribution makes it available, then reboot.
- There is no runtime workaround. Monitoring alone is not enough here. Patch and reboot are the only path to remediation.
- Audit all Linux environments across your fleet, including cloud instances, containerized workloads, and Android-based deployments, for unpatched kernel versions.
Your Security Stack Needs to See This Coming
Most organizations find out about kernel-level privilege escalation flaws only after they have already landed. By the time a CVE has a working public exploit, the window to act quietly has already closed.
Secure.com’s Infrastructure Security Teammate keeps continuous watch so your team is not caught flat-footed by the next Bad Epoll:
- Tracks kernel versions and patch status across your entire infrastructure in real time
- Detects privilege escalation attempts on Linux hosts and surfaces them as actionable alerts
- Maps your attack surface so you know exactly which assets are most exposed when a kernel flaw drops
- Prioritizes remediation by asset risk so your team fixes what matters first
- Keeps your infrastructure posture current without requiring a manual audit after every new CVE