AI Security AI安全 7d ago Updated 6d ago 更新于 6天前 49

New "Bad Epoll" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android 新的“Bad Epoll”Linux内核漏洞允许非特权用户获取Root权限,影响Android

A critical Linux kernel vulnerability named "Bad Epoll" (CVE-2026-46242) allows unprivileged users to gain root access via a use-after-free race condition in the epoll subsystem. The exploit achieves a 99% success rate by widening a microscopic six-instruction timing window, affecting Linux desktops, servers, and Android devices running kernel 6.4 or newer. Unlike previous AI-discovered bugs, this flaw was identified by human researcher Jaeyoung Chung, highlighting the current limitations of AI 新披露的Linux内核漏洞“Bad Epoll”(CVE-2026-46242)允许未授权用户通过竞态条件获取Root权限,影响Linux桌面、服务器及Android系统。 该漏洞位于Anthropic AI模型Mythos曾修复的另一处代码区域,但AI未能发现此特定竞态条件,凸显了复杂时序bug的检测难度。 利用窗口极窄(仅约6条机器指令),研究者Jaeyoung Chung通过扩大窗口和重试机制实现了99%的成功率,且可从Chrome沙箱内触发。 补丁已发布(上游commit a6dc643c6931),受影响内核版本为6.4及以上,旧版如6.1(部分Pixel 8)不受影响,无临时规避方

75
Hot 热度
65
Quality 质量
70
Impact 影响力

Analysis 深度分析

TL;DR

  • A critical Linux kernel vulnerability named "Bad Epoll" (CVE-2026-46242) allows unprivileged users to gain root access via a use-after-free race condition in the epoll subsystem.
  • The exploit achieves a 99% success rate by widening a microscopic six-instruction timing window, affecting Linux desktops, servers, and Android devices running kernel 6.4 or newer.
  • Unlike previous AI-discovered bugs, this flaw was identified by human researcher Jaeyoung Chung, highlighting the current limitations of AI models like Anthropic's Mythos in detecting complex race conditions.
  • The vulnerability exists within Chrome’s renderer sandbox and impacts Android, posing significant risks to mobile security and containerized environments.
  • A fix has been released via upstream commit a6dc643c6931, but no immediate workaround exists as the epoll subsystem cannot be disabled.

Why It Matters

This discovery underscores the persistent difficulty of identifying race-condition vulnerabilities, even for advanced AI systems, proving that human intuition remains crucial for complex kernel security auditing. For security practitioners and system administrators, the impact is severe as it bypasses major isolation mechanisms like Chrome’s sandbox and affects widely deployed Android devices, necessitating immediate patching of Linux kernels 6.4 and above.

Technical Details

  • Vulnerability Type: Use-after-free race condition in the Linux kernel's epoll implementation, specifically triggered by concurrent cleanup operations on internal objects.
  • Exploit Mechanism: The attacker exploits a narrow six-instruction timing window; the PoC widens this window and retries without crashing, achieving root privileges approximately 99% of the time.
  • Affected Systems: Linux kernels version 6.4 and newer, including Android devices (though older 6.1-based kernels like those on Pixel 8 are unaffected).
  • Security Context: The bug can be triggered from within Chrome’s renderer sandbox, a boundary typically resistant to kernel exploits, and impacts both desktop/server Linux and mobile Android ecosystems.
  • Remediation: Application of upstream commit a6dc643c6931 or distribution-specific backports; no functional workaround exists due to the essential nature of the epoll subsystem.

Industry Insight

  • AI-Human Collaboration: The fact that an AI model found a related bug but missed this sibling flaw suggests that AI tools should be viewed as complementary to human auditors rather than replacements, particularly for temporal and race-based vulnerabilities.
  • Mobile Security Posture: The ability to escape Chrome’s sandbox and escalate privileges on Android highlights the need for rigorous kernel-level validation in mobile operating systems, especially given the prevalence of epoll in network-heavy applications.
  • Patch Velocity: With a fix taking two months to stabilize after the initial patch failed, organizations must prioritize rapid deployment of kernel updates to mitigate exposure to high-severity privilege escalation flaws.

TL;DR

  • 新披露的Linux内核漏洞“Bad Epoll”(CVE-2026-46242)允许未授权用户通过竞态条件获取Root权限,影响Linux桌面、服务器及Android系统。
  • 该漏洞位于Anthropic AI模型Mythos曾修复的另一处代码区域,但AI未能发现此特定竞态条件,凸显了复杂时序bug的检测难度。
  • 利用窗口极窄(仅约6条机器指令),研究者Jaeyoung Chung通过扩大窗口和重试机制实现了99%的成功率,且可从Chrome沙箱内触发。
  • 补丁已发布(上游commit a6dc643c6931),受影响内核版本为6.4及以上,旧版如6.1(部分Pixel 8)不受影响,无临时规避方案。

为什么值得看

本文揭示了当前AI辅助安全研究的局限性,即在处理高度依赖精确时序的竞态条件漏洞时,人类研究员仍优于最先进的AI模型。同时,它强调了Linux内核中epoll模块作为攻击面的高风险性,特别是其可绕过Chrome沙箱并波及Android生态的能力,对操作系统安全和AI在网络安全中的应用边界具有重要参考价值。

技术解析

  • 漏洞原理:Bad Epoll是一个典型的“释放后使用”(Use-After-Free)竞态条件漏洞。内核中两个并发部分试图清理同一内部对象,当一个释放内存而另一个仍在写入时,导致内核内存损坏,从而实现提权。
  • 利用难点与突破:竞态窗口极小(约6条指令),随机尝试几乎无效。研究者通过构造特定的执行路径扩大窗口并实施重试策略,在不崩溃系统的前提下稳定获取Root权限。
  • 影响范围与特殊性:不同于大多数Linux提权漏洞,Bad Epoll可从Chrome渲染器沙箱内部触发,且能影响Android系统,这使其比传统的本地提权漏洞更具威胁性。
  • 修复与版本:根本原因追溯至2023年对epoll代码的一次更改。修复需应用上游commit a6dc643c6931。内核版本6.4及以上受影响,6.1及以下(包括部分Pixel 8设备)不受影响。

行业启示

  • AI在安全领域的边界:尽管AI在发现确定性逻辑错误方面表现优异,但在处理需要极高时序敏感性的复杂竞态条件时仍存在盲区,人机协作仍是安全研究的最优解。
  • 内核攻击面的持续演变:随着Chrome沙箱等防护措施的加强,攻击者转向内核深层机制(如epoll)。开发者需关注那些难以关闭且广泛使用的核心子系统,它们可能成为新的突破口。
  • 补丁管理的紧迫性:由于epoll无法禁用,且该漏洞可利用性较高,系统管理员应尽快验证并应用内核更新,特别是针对运行在6.4以上版本的Linux服务器和Android设备。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全 Open Source 开源 Research 科学研究