Bad Epoll: the Linux kernel root flaw that an AI model missed
A race-condition use-after-free in the Linux kernel's epoll subsystem was patched quietly on April 24, 2026. It sat unannounced in the kernel mainline for 70 days before researcher Jaeyoung Chung published a detailed write-up in early July 2026, revealing that the bug allows any unprivileged user to escalate to root with a reported 99% success rate. The vulnerability, CVE-2026-46242, affects Linux kernel 6.4 and later, including desktops, servers, and Android devices running affected kernel versions.
The name Bad Epoll comes from the subsystem at the center of the flaw: epoll, the Linux I/O event notification interface used heavily in high-performance server software. The bug is a classic race condition: two kernel code paths try to clean up the same internal object simultaneously, with one freeing memory while the other is still writing into it. The result is a use-after-free that an attacker can exploit to corrupt kernel memory and gain root access.
The 70-day silence window
Bad Epoll was introduced by a 2023 kernel commit and fixed in April 2026. The fix was not announced, not documented as a security patch, and was not accompanied by a CVE assignment at merge time. It sat in the mainline tree as a routine code change for 70 days. During those 70 days the patch was not backported to most Linux distributions. When Chung published the write-up and proof of concept, distribution maintainers were still catching up. As of July 5, Ubuntu 24.04 LTS has shipped a backport. Debian bookworm and RHEL 9 have not yet.
This silent-patch dynamic is well-documented as a recurring problem in kernel security. Changes that fix security flaws without CVE assignment or security disclosure slow the distribution patch cycle significantly. The 70-day gap between mainline fix and public write-up represents a substantial window of exposure for any system running a kernel version between the 2023 introduction and the April 2026 fix, on a distribution that had not independently backported the change.
The AI auditing angle
Bad Epoll sits in the same kernel code region where Anthropic's Mythos AI model recently found a separate vulnerability. Mythos identified one bug in the epoll subsystem; Chung found a different one in the same code path. This is a concrete, documented case of AI-assisted vulnerability research covering some but not all bugs in a given code region.
The implication is symmetrical. AI models can surface bugs at scale in well-scoped code regions, lowering the cost of systematic auditing. But coverage is not comprehensive, even in regions the model has already examined. For defenders, this means AI-assisted code auditing is a meaningful capability uplift but not a substitute for human researcher review. For attackers, it means there are residual bugs in AI-audited regions that may look clean but are not.
Patch status and what to check
- Check your kernel version. Bad Epoll affects Linux 6.4 and later kernels that have not applied the April 24, 2026 fix or a distribution backport.
- Ubuntu 24.04 LTS: the patch is available via the standard security update channel. Apply it now.
- Debian bookworm and RHEL 9: backports are pending as of July 5. Monitor your vendor's security advisory feed.
- Android: devices running kernels derived from 6.4+ are in scope. Vendor patches will follow the Android Security Bulletin cycle.
- Local privilege escalation requires initial access first. Prioritize patching on systems where untrusted code may execute: shared compute, container hosts, and developer workstations.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you are working through kernel patch prioritization or need help assessing exposure across a large Linux fleet.