A critical Linux kernel vulnerability, dubbed Bad Epoll and tracked as CVE-2026-46242, has been disclosed, allowing unprivileged users to gain full root control over affected systems. The flaw resides in the epoll subsystem, a core component for handling I/O events, and impacts Linux desktops, servers, and Android devices.
The severity of this flaw is underscored by its potential for privilege escalation. An attacker with local access can exploit this vulnerability to execute arbitrary code with root privileges, effectively taking complete control of the system. Active exploitation is possible, given the flaw's nature, though public reports of widespread attacks have yet to emerge.
Technical details indicate the vulnerability lies in a specific stretch of kernel code related to epoll operations. Notably, this same code area was recently examined by Anthropic's AI model, Mythos, which identified one bug but did not catch this particular flaw. The attack vector is local, requiring the attacker to have a user account on the target machine, but no special permissions are needed.
A patch for Bad Epoll has already been released as part of recent Linux kernel updates. System administrators and Android device manufacturers are advised to apply the fix immediately. No known workarounds exist; full patching is the only reliable mitigation. Users should ensure their kernels are updated to the latest stable version.
The discovery highlights ongoing challenges in kernel security auditing, even with AI-assisted code review. While Anthropic's Mythos found one vulnerability in the same code, the Bad Epoll bug underscores that automated tools are not yet foolproof. The broader threat landscape for Linux remains active, with privilege escalation vulnerabilities frequently targeted by both cybercriminals and state-sponsored actors.