New "Bad Epoll" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android
A critical Linux kernel vulnerability named "Bad Epoll" (CVE-2026-46242) allows unprivileged users to gain root access via a use-after-free race condition in the epoll subsystem. The exploit achieves a 99% success rate by widening a microscopic six-instruction timing window, affecting Linux desktops, servers, and Android devices running kernel 6.4 or newer. Unlike previous AI-discovered bugs, this flaw was identified by human researcher Jaeyoung Chung, highlighting the current limitations of AI
Analysis
TL;DR
- A critical Linux kernel vulnerability named "Bad Epoll" (CVE-2026-46242) allows unprivileged users to gain root access via a use-after-free race condition in the epoll subsystem.
- The exploit achieves a 99% success rate by widening a microscopic six-instruction timing window, affecting Linux desktops, servers, and Android devices running kernel 6.4 or newer.
- Unlike previous AI-discovered bugs, this flaw was identified by human researcher Jaeyoung Chung, highlighting the current limitations of AI models like Anthropic's Mythos in detecting complex race conditions.
- The vulnerability exists within Chrome’s renderer sandbox and impacts Android, posing significant risks to mobile security and containerized environments.
- A fix has been released via upstream commit a6dc643c6931, but no immediate workaround exists as the epoll subsystem cannot be disabled.
Why It Matters
This discovery underscores the persistent difficulty of identifying race-condition vulnerabilities, even for advanced AI systems, proving that human intuition remains crucial for complex kernel security auditing. For security practitioners and system administrators, the impact is severe as it bypasses major isolation mechanisms like Chrome’s sandbox and affects widely deployed Android devices, necessitating immediate patching of Linux kernels 6.4 and above.
Technical Details
- Vulnerability Type: Use-after-free race condition in the Linux kernel's
epollimplementation, specifically triggered by concurrent cleanup operations on internal objects. - Exploit Mechanism: The attacker exploits a narrow six-instruction timing window; the PoC widens this window and retries without crashing, achieving root privileges approximately 99% of the time.
- Affected Systems: Linux kernels version 6.4 and newer, including Android devices (though older 6.1-based kernels like those on Pixel 8 are unaffected).
- Security Context: The bug can be triggered from within Chrome’s renderer sandbox, a boundary typically resistant to kernel exploits, and impacts both desktop/server Linux and mobile Android ecosystems.
- Remediation: Application of upstream commit a6dc643c6931 or distribution-specific backports; no functional workaround exists due to the essential nature of the epoll subsystem.
Industry Insight
- AI-Human Collaboration: The fact that an AI model found a related bug but missed this sibling flaw suggests that AI tools should be viewed as complementary to human auditors rather than replacements, particularly for temporal and race-based vulnerabilities.
- Mobile Security Posture: The ability to escape Chrome’s sandbox and escalate privileges on Android highlights the need for rigorous kernel-level validation in mobile operating systems, especially given the prevalence of epoll in network-heavy applications.
- Patch Velocity: With a fix taking two months to stabilize after the initial patch failed, organizations must prioritize rapid deployment of kernel updates to mitigate exposure to high-severity privilege escalation flaws.
Disclaimer: The above content is generated by AI and is for reference only.