Bad Epoll Shows Why Human Audits Still Beat AI in Kernel Security

Human researcher Jaeyoung Chung uncovered the Bad Epoll kernel race‑condition (CVE‑2026‑46242) that AI model Mythos missed, demonstrating that even the most advanced AI code‑auditing tools can overlook critical vulnerabilities while human intuition and deep analysis still dominate security research.

Black & White Path
Black & White Path
Black & White Path
Bad Epoll Shows Why Human Audits Still Beat AI in Kernel Security
Security researcher Jaeyoung Chung discovered a race‑condition use‑after‑free vulnerability in the Linux kernel epoll subsystem, designated CVE‑2026‑46242 and nicknamed “Bad Epoll”. The flaw resides next to a separate epoll bug (CVE‑2026‑43074) that was earlier identified by Anthropic’s AI model Mythos.

Mythos found the first, missed the second

In April 2023 a commit (58c9b016e128) added roughly 2,500 lines to the epoll subsystem, unintentionally introducing two independent race conditions that could each lead to privilege escalation. Mythos quickly reported the first condition as CVE‑2026‑43074, demonstrating the capability of cutting‑edge AI in kernel bug discovery. The second condition, Bad Epoll, was reported by Jaeyoung Chung to Google kernelCTF and earned a bounty exceeding $71,337.

Why Mythos missed Bad Epoll

Race window only six instructions wide : Even with full source access, the precise interleaving of threads is extremely hard to anticipate.

Almost no KASAN triggers : After the CVE‑2026‑43074 fix, the kernel’s memory‑error detector rarely reports the use‑after‑free in Bad Epoll, giving the AI no confidence signal.

Bad Epoll: technical description

Bad Epoll is a use‑after‑free race condition in the epoll subsystem. An attacker who can trigger the race can elevate a non‑privileged process to root, affecting Linux desktops, servers, and Android devices.

Two linked epoll objects, closing both triggers the race condition
Two linked epoll objects, closing both triggers the race condition

The exploit achieves 99 % reliable privilege escalation by expanding the race window and running a never‑crashing retry loop.

Scope of impact

epoll is the core mechanism for high‑concurrency network and file I/O in Linux and is used by Nginx, Redis, Docker, Kubernetes and virtually all high‑performance network services. Compromise of epoll enables container escape or host‑level root takeover, potentially compromising an entire cluster.

On Android, Bad Epoll is one of roughly ten kernel bugs with root‑Android potential. Malicious software can obtain root without user interaction, steal data, or install persistent malware.

Attack principle

Race condition trigger

Two epoll close paths run concurrently; one frees the epoll object while the other still writes to it, creating a use‑after‑free.

The exploit creates four epoll objects arranged in two pairs: one pair triggers the race, the other pair serves as victims. The 8‑byte UAF write is transformed into a file‑object UAF, and a cross‑cache attack gains full control of the file contents.

Exploit chain

With control of the file object, the exploit reads arbitrary kernel memory via /proc/self/fdinfo, hijacks control flow, and executes a ROP chain to obtain a root shell.

Affected versions and fixes

Introduced: commit 58c9b016e128 (2023‑04‑08)

Fixed: commit a6dc643c6931 (2026‑04‑24)

Kernels based on v6.4 or newer that have not back‑ported the fix are vulnerable; kernels based on v6.1 are unaffected.

lts‑6.12.67 (LTS): 99 % reliable exploit

cos‑121‑18867.294.100 (COS): 98 % reliable exploit

Android status: a full root exploit is in progress for Pixel 10 (kernel v6.6+); Pixel 8 and other v6.1 devices are not affected.

Timeline

2023‑04‑08 – Vulnerability introduced into epoll (commit 58c9b016e128).

2026‑02‑17 – Reported to [email protected].

2026‑02‑17 – Maintainer proposed a prototype patch (not a proper fix); discussion stalled.

2026‑04‑02 – Mythos‑found CVE‑2026‑43074 fix merged upstream.

2026‑04‑22 – Bad Epoll re‑reported.

2026‑04‑24 – Bad Epoll fix merged upstream (commit a6dc643c6931).

Vulnerability naming

Bad Epoll follows the “Bad” series of Android root kernel bugs (Bad Binder, Bad IO_URING, Bad Spin), representing the epoll variant.

Conclusion

Bad Epoll is a textbook‑level kernel vulnerability that spans servers and mobile devices, achieves stable high‑privilege takeover, and demonstrates that manual security audits remain indispensable even when advanced AI models can find other bugs in the same code base.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

Linux kernelepollUAFsecurity researchAI auditingCVE-2026-46242
Black & White Path
Written by

Black & White Path

We are the beacon of the cyber world, a stepping stone on the road to security.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.