A critical privilege escalation vulnerability tracked as CVE-2026-46242, dubbed "Bad Epoll," allows unprivileged local users to gain root access on Linux systems. The flaw affects Linux desktops, servers, and Android devices across multiple distributions and kernel versions.
The vulnerability exists in the Linux kernel's epoll subsystem, a core mechanism handling asynchronous I/O event notification. An attacker with local access to a vulnerable system can exploit the flaw to execute arbitrary code with root privileges, bypassing all standard access controls. The attack requires no special permissions or user interaction.
Bad Epoll poses significant risk to enterprise environments running vulnerable Linux servers and to Android users on affected devices. Attackers exploiting this flaw gain unrestricted system control, enabling persistent malware installation, data theft, lateral movement across networks, and complete system compromise. The vulnerability affects a wider range of kernel versions and distributions than initially determined.
The flaw was discovered through machine learning analysis by Anthropic's Mythos AI model, which identified it within the same kernel code section where the AI previously detected a separate vulnerability. This finding underscores both the effectiveness of AI-assisted vulnerability discovery and the density of exploitable bugs in complex kernel subsystems like epoll.
Linux distributions and maintainers have released patched kernel versions addressing CVE-2026-46242. System administrators should prioritize applying these updates immediately. Android device manufacturers must release security patches through their regular update channels, though deployment timelines vary by vendor and device model.
Users unable to update immediately should restrict local system access to trusted accounts and monitor for suspicious privilege escalation attempts. Organizations should identify systems running vulnerable kernel versions and schedule patching within their standard maintenance windows, treating this as a high-priority update given the severity and ease of exploitation.
The discovery highlights the continued importance of rigorous kernel security review, particularly around fundamental I