Bad Epoll: Anthropic's AI missed this root vulnerability

Security researcher Jaeyoung Chung has disclosed a Linux kernel flaw that gives a regular unprivileged user full control over the system. Bad Epoll, officially CVE-2026-46242, affects Linux desktops, servers, and Android. A patch is available. The case is especially notable because of a side story: an AI had already examined the affected code and missed this vulnerability.
What Bad Epoll does
The flaw is in the epoll subsystem, a core function that lets programs monitor many files and network connections at the same time. Servers, network services, and browsers use it constantly, and it cannot be turned off. Bad Epoll is a use-after-free bug: two kernel paths clean up the same internal object at the same time, one frees the memory while the other is still writing to it. That brief collision is enough to manipulate kernel memory and escalate from a normal account to root.
The catch is the timing. The window in which both paths collide is only about six machine instructions wide. Chung's exploit widens that window and keeps trying without crashing until it gains root on tested systems in about 99% of cases. Two details make the flaw more serious than typical kernel bugs: according to Chung, it can be triggered from Chrome's renderer sandbox, and it extends to Android, which most Linux flaws do not.
Why the AI missed the flaw
Both issues trace back to a single code change from 2023, in just 2,500 lines of epoll code. Anthropic's AI model Mythos found the first of the two race conditions and reported it as CVE-2026-43074. That was a real success, since race bugs like these are considered hard to detect. The model missed the second one, Bad Epoll. In the end, human researcher Jaeyoung Chung found it and built a working attack for it.
Chung gives two possible reasons for the blind spot without committing to either. The timing window is so tiny that the exact sequence is hard to imagine even when looking at the code. And after the first flaw had been patched, Bad Epoll usually no longer triggered the memory error detector KASAN, leaving the model without runtime traces. The case shows both sides of the issue: AI can find complex kernel bugs, but it can still fail on subtle race conditions.
Who is affected and what to do
Kernel versions from 6.4 onward are affected if the fix is not yet present. Older systems based on Linux 6.1 are safe, including some Android devices such as the Pixel 8, because the faulty code was added only after that branch. According to Chung, an Android exploit is still in progress. There is some reassurance on the immediate risk: so far, there is no indication of attacks in the wild, and the only working code is the proof of concept from Google's kernelCTF program. Also important: the attacker already needs local access to the device, as the flaw cannot be triggered remotely.
Users who patch manually should apply the upstream commit a6dc643c6931. Everyone else should wait for their distribution's backport and install it promptly. Since epoll cannot be disabled, there is no workaround, only the update resolves the issue.






