Bad Epoll Shows Why Human Audits Still Beat AI in Kernel Security
Human researcher Jaeyoung Chung uncovered the Bad Epoll kernel race‑condition (CVE‑2026‑46242) that AI model Mythos missed, demonstrating that even the most advanced AI code‑auditing tools can overlook critical vulnerabilities while human intuition and deep analysis still dominate security research.
Security researcher Jaeyoung Chung discovered a race‑condition use‑after‑free vulnerability in the Linux kernel epoll subsystem, designated CVE‑2026‑46242 and nicknamed “Bad Epoll”. The flaw resides next to a separate epoll bug (CVE‑2026‑43074) that was earlier identified by Anthropic’s AI model Mythos.
Mythos found the first, missed the second
In April 2023 a commit (58c9b016e128) added roughly 2,500 lines to the epoll subsystem, unintentionally introducing two independent race conditions that could each lead to privilege escalation. Mythos quickly reported the first condition as CVE‑2026‑43074, demonstrating the capability of cutting‑edge AI in kernel bug discovery. The second condition, Bad Epoll, was reported by Jaeyoung Chung to Google kernelCTF and earned a bounty exceeding $71,337.
Why Mythos missed Bad Epoll
Race window only six instructions wide : Even with full source access, the precise interleaving of threads is extremely hard to anticipate.
Almost no KASAN triggers : After the CVE‑2026‑43074 fix, the kernel’s memory‑error detector rarely reports the use‑after‑free in Bad Epoll, giving the AI no confidence signal.
Bad Epoll: technical description
Bad Epoll is a use‑after‑free race condition in the epoll subsystem. An attacker who can trigger the race can elevate a non‑privileged process to root, affecting Linux desktops, servers, and Android devices.
The exploit achieves 99 % reliable privilege escalation by expanding the race window and running a never‑crashing retry loop.
Scope of impact
epoll is the core mechanism for high‑concurrency network and file I/O in Linux and is used by Nginx, Redis, Docker, Kubernetes and virtually all high‑performance network services. Compromise of epoll enables container escape or host‑level root takeover, potentially compromising an entire cluster.
On Android, Bad Epoll is one of roughly ten kernel bugs with root‑Android potential. Malicious software can obtain root without user interaction, steal data, or install persistent malware.
Attack principle
Race condition trigger
Two epoll close paths run concurrently; one frees the epoll object while the other still writes to it, creating a use‑after‑free.
The exploit creates four epoll objects arranged in two pairs: one pair triggers the race, the other pair serves as victims. The 8‑byte UAF write is transformed into a file‑object UAF, and a cross‑cache attack gains full control of the file contents.
Exploit chain
With control of the file object, the exploit reads arbitrary kernel memory via /proc/self/fdinfo, hijacks control flow, and executes a ROP chain to obtain a root shell.
Affected versions and fixes
Introduced: commit 58c9b016e128 (2023‑04‑08)
Fixed: commit a6dc643c6931 (2026‑04‑24)
Kernels based on v6.4 or newer that have not back‑ported the fix are vulnerable; kernels based on v6.1 are unaffected.
lts‑6.12.67 (LTS): 99 % reliable exploit
cos‑121‑18867.294.100 (COS): 98 % reliable exploit
Android status: a full root exploit is in progress for Pixel 10 (kernel v6.6+); Pixel 8 and other v6.1 devices are not affected.
Timeline
2023‑04‑08 – Vulnerability introduced into epoll (commit 58c9b016e128).
2026‑02‑17 – Reported to [email protected].
2026‑02‑17 – Maintainer proposed a prototype patch (not a proper fix); discussion stalled.
2026‑04‑02 – Mythos‑found CVE‑2026‑43074 fix merged upstream.
2026‑04‑22 – Bad Epoll re‑reported.
2026‑04‑24 – Bad Epoll fix merged upstream (commit a6dc643c6931).
Vulnerability naming
Bad Epoll follows the “Bad” series of Android root kernel bugs (Bad Binder, Bad IO_URING, Bad Spin), representing the epoll variant.
Conclusion
Bad Epoll is a textbook‑level kernel vulnerability that spans servers and mobile devices, achieves stable high‑privilege takeover, and demonstrates that manual security audits remain indispensable even when advanced AI models can find other bugs in the same code base.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Black & White Path
We are the beacon of the cyber world, a stepping stone on the road to security.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
