GitHub - J-jaeyoung/bad-epoll · GitHub
/" data-turbo-transient="true" />
Skip to content
Search or jump to...
Search code, repositories, users, issues, pull requests...
-->
Search
Clear
Search syntax tips
Provide feedback
--><br>We read every piece of feedback, and take your input very seriously.
Include my email address so I can be contacted
Cancel
Submit feedback
Saved searches
Use saved searches to filter your results more quickly
-->
Name
Query
To see all available qualifiers, see our documentation.
Cancel
Create saved search
Sign in
/;ref_cta:Sign up;ref_loc:header logged out"}"<br>Sign up
Appearance settings
Resetting focus
You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.
Dismiss alert
{{ message }}
J-jaeyoung
bad-epoll
Public
Notifications<br>You must be signed in to change notification settings
Fork<br>34
Star<br>315
main
BranchesTags
Go to file
CodeOpen more actions menu
Folders and files<br>NameNameLast commit message<br>Last commit date<br>Latest commit
History<br>1 Commit<br>1 Commit
assets
assets
README.md
README.md
View all files
Repository files navigation
Bad Epoll: The bug missed by Mythos
An unprivileged process escalating to root on Google kernelCTF.
Bad Epoll (CVE-2026-46242) is a race-condition use-after-free in the Linux kernel's<br>epoll subsystem. This bug lets an unprivileged process become root, not only on Linux desktops and servers but also on Android devices.
Bad Epoll was reported and exploited by Jaeyoung Chung<br>as a 0-day submission to Google kernelCTF, which rewards a Linux kernel exploit with $71,337+.
Note<br>Anthropic's AI, Mythos, found another race bug in the same epoll code but missed Bad Epoll.
Why it is serious
A rare bug that can root Android.<br>Most Linux privilege-escalation bugs cannot root Android at all. Copy Fail and its<br>variants, for example, need modules that Android never loads. Out of the roughly 130 vulnerabilities exploited on Google's kernelCTF, only<br>about ten are candidates for rooting Android. Bad Epoll is one of them.
Bad Epoll can also be triggered from inside Chrome's renderer sandbox, which blocks<br>almost every other kernel bug. A renderer exploit could therefore chain with Bad Epoll to<br>achieve kernel code execution, the same impact Project Zero demonstrated in<br>"From Chrome renderer code exec to kernel with MSG_OOB".
No kill-switch.<br>Copy Fail and its variants can be neutralized by unloading their vulnerable modules,<br>but epoll has no such option. It is a core kernel feature that the operating system,<br>network services, and browsers all rely on. The only way to fix it is to apply the patch.
Tiny race window, but the attack is 99% reliable.<br>The bug's race window is only about six instructions wide, and a normal attempt almost never hits it. The exploit widens that window and runs a retry loop that never crashes the kernel. The result is a 99% reliable exploit, as the attack overview below describes.
The bug Mythos missed
A single commit in 2023 introduced two separate race conditions into the epoll code, only about 2,500 lines in all. Both turned out to be critical bugs that can lead to privilege escalation.
The first was found by Anthropic's Mythos<br>and reported as CVE-2026-43074.<br>That result is impressive on its own, because kernel race bugs are known to be hard to find. It showed a frontier AI model's ability to find race bugs. An independent researcher later submitted a 1-day exploit for it to kernelCTF.
The other race is Bad Epoll, which Mythos missed. Given that Mythos found the first bug<br>in this small epoll code path, it likely examined the same area with meaningful depth.<br>We cannot know exactly why it missed Bad Epoll, but two factors likely made it hard to find.
The race window is tiny. It is only about six instructions<br>wide, so the exact thread interleaving is hard to imagine even when looking at the<br>vulnerable code.
There was little runtime evidence. After CVE-2026-43074 is fixed, Bad Epoll's<br>use-after-free usually does not trigger KASAN, the kernel's main memory-error<br>detector. Without that signal, Mythos may not have had enough confidence to report it<br>as a real bug.
Bad Epoll was hard to fix, too. The maintainers' first patch did not fully fix the issue, and a correct patch landed only two months after the bug was first reported. That is a long time for a kernel that usually handles security issues with urgency.
Overall, Bad Epoll shows how difficult race conditions are at every stage. They are hard<br>to find even for a frontier model, hard to fix correctly, and, as the next section shows,<br>hard to exploit reliably. It also suggests a vulnerability research direction that<br>remains worth exploring in the presence of frontier AI models: uncovering real security<br>impact behind narrow timing conditions and weak evidence.
How the attack works
Here...