
A working exploit for a Linux kernel vulnerability that hands any logged-in user a root shell is now sitting in the open, and the flaw it targets is unusual for a reason that should worry defenders: an AI model scanning the exact same code missed it entirely.
The bug, tracked as CVE-2026-46242 and nicknamed "Bad Epoll," is a race-condition use-after-free (a flaw where a program keeps using memory after it's been freed, letting attackers hijack that memory for their own purposes) buried in the Linux kernel's epoll subsystem — the mechanism that lets programs efficiently watch thousands of file descriptors at once. Because epoll underpins everything from Nginx to Node.js to Android itself, there's no module to disable and no config flag to flip. Patching is the only fix.
How it was found — and what got past the machine
Security researcher Jaeyoung Chung uncovered Bad Epoll while digging through a 2023 kernel commit that, it turns out, had quietly introduced two separate race conditions into roughly 2,500 lines of epoll code. Anthropic's Mythos AI model had already caught one of them, reported as CVE-2026-43074, and that fix landed in the kernel in April. Bad Epoll was the sibling bug sitting right next to it, and Mythos didn't flag it.
The likely reason comes down to a tiny window and a lack of evidence: once the first bug was patched, Bad Epoll's memory-corruption trigger stopped setting off KASAN, the kernel's built-in memory-error detector. A model — or a human reviewer, for that matter — largely reasoning from dynamic testing signals had nothing obvious pointing at the problem.
Turning a six-instruction gap into a root
What makes the newly public proof-of-concept notable isn't just that it works — it's how reliably. The race window itself spans roughly six CPU instructions, yet Chung's exploit reportedly hits it about 99% of the time by deliberately widening the timing gap and retrying in a loop that never crashes the target machine. From there, it leverages a cross-cache technique to seize control of a freed file object, leaks kernel memory addresses, and builds a return-oriented-programming chain to escalate to root.
The exploit is also reachable from inside Chrome's renderer sandbox, a detail that stands out because most kernel bugs never get near that isolation layer. In practice, that means a browser-based compromise could potentially chain straight into full kernel code execution — turning a single memory bug into a fully realized boots-to-root attack chain.
What to do now
Bad Epoll affects Linux distributions running kernel 6.4 and newer, plus confirmed vulnerable Android hardware. There's no workaround short of applying the upstream patch and rebooting into it — a step that's easy to skip if teams assume an updated package means an updated running kernel.
Security teams should verify patch status directly, restrict who has local shell access on shared servers and CI systems, and watch for post-exploitation signs like unexpected setuid binaries or new privileged accounts, since this class of bug leaves almost nothing behind at runtime.