Bad Epoll is a Linux kernel bug that lets an ordinary app or user grab full root access on affected devices, no permission prompts needed. It’s tracked as CVE-2026-46242, it hits Android phones running kernel 6.6 and newer, and a working exploit is already public. If you’re on a Pixel 8 or older, you can relax a little. Everyone else should go check for updates before finishing this article.
I’ve spent the last day going through the disclosure writeups, the patch history, and the Android security bulletins to figure out what actually matters if you’re not a kernel engineer. Here’s the plain-English version.
What Is the Bad Epoll Vulnerability?
Bad Epoll is a use-after-free bug in the Linux kernel’s epoll subsystem — the part of the kernel that lets programs watch several file descriptors at once. It lives inside a function called ep_remove(), and it lets a regular, unprivileged local user escalate to root.
Security researcher Jaeyoung Chung found the flaw, and it earned the CVE-2026-46242 identifier once it went public. What makes it nasty isn’t just the privilege escalation. It’s where the bug sits.
Why Can’t Android Just Turn Epoll Off?
Short answer: it can’t. Epoll is a core part of the kernel that can’t be disabled or unloaded the way an optional module can. Most root exploits on Android target something you could theoretically strip out or sandbox harder. Bad Epoll doesn’t give you that option. Out of roughly 130 vulnerabilities ever exploited on Google’s kernelCTF program, only about ten are realistic candidates for rooting an Android device — and this is now one of them.
There’s also a browser angle worth knowing about. The bug is reachable from inside Chrome’s renderer sandbox, which means in theory someone could chain a browser exploit with Bad Epoll to go from “you opened a bad webpage” to full kernel-level control. That chain hasn’t been demonstrated publicly as a complete attack yet, but the building blocks exist.
How Bad Is the Exploit, Really?
This is the part that surprised me most. The actual timing window an attacker has to hit is tiny — only about six CPU instructions wide. On paper that should make it hard to pull off reliably. In practice, Chung’s exploit widens that window and retries on failure, and it reportedly lands root roughly 99% of the time on tested targets. A narrow race window used to mean “low real-world risk.” That math doesn’t hold anymore.
Which Android Devices Are Affected?
This is the question that actually matters if you’re reading this on your phone. Here’s the breakdown:
| Kernel version | Android example | Affected? |
|---|---|---|
| Linux 6.1-based | Pixel 8 and earlier Pixel models | No — predates the bug |
| Linux 6.4 and later | Most recent flagship Android kernels | Yes |
| Linux 6.6-series and newer | Current Pixel hardware, including Pixel 10 | Yes, confirmed |
Devices running 6.6-series kernels and newer are confirmed vulnerable, including current Pixel hardware, while older 6.1-based kernels, such as those on the Pixel 8, predate the 2023 commit that introduced the bug and aren’t affected. As of the most recent public reporting, a proof-of-concept that triggers the underlying memory corruption on the Pixel 10 exists, though a full working root exploit for that device was still in development at the time of writing. That could change any day, so treat “not fully exploited yet” as a head start, not a pass.
If you’re on a Samsung, OnePlus, or other Android device, the deciding factor is your kernel version, not the brand. Check your device’s build number in Settings, or wait for your manufacturer’s security bulletin — most flagships released in the last two years are running 6.4 or newer.
Where Did This Bug Come From?
The origin story is almost funnier than the bug itself. A single kernel commit from April 2023 quietly introduced two separate race conditions into roughly 2,500 lines of epoll code. One of those two bugs, tracked separately as CVE-2026-43074, was found and fixed earlier this year.
Here’s the part with an AI twist. CVE-2026-43074, the first of the two bugs, was actually discovered by Anthropic’s AI model Mythos, which is a genuinely notable data point for how far automated code auditing has come. But Bad Epoll was the second, harder-to-spot flaw that Mythos missed — likely because of its narrow timing window and because it rarely triggers KASAN, the kernel’s main memory-error detector, leaving little runtime evidence behind. AI found one bug in that code. A human found the one AI walked past. That’s a more honest picture of where AI-assisted security research actually stands than most headlines gave it credit for.
How Long Did It Take to Fix?
Slower than you’d hope from a project with this much security scrutiny. Kernel maintainers pushed a patch that addressed only the related CVE-2026-43074 bug, and it merged on April 2 without closing the second race. Chung re-reported the remaining flaw on April 22, and the correct fix landed two days later as upstream commit a6dc643c6931. Add it up and a correct fix took 66 days from Chung’s initial report to land in mainline — a long stretch for a bug this serious, and long enough that a public proof-of-concept existed for most of it.
What Should You Actually Do About It?
For everyday Android users, this comes down to one boring, effective action: install your security updates. There’s no setting to toggle and no app to uninstall, because epoll isn’t optional.
- Go to Settings → System → System Update (path varies slightly by manufacturer) and install anything pending.
- Check your security patch level against the latest Android Security Bulletin for your device.
- If you manage a fleet of Android devices for a business, push the update through your MDM rather than waiting on individual users to do it.
- If you run Linux servers or workstations, patch to a kernel that includes commit a6dc643c6931, or wait for your distro’s backport and apply it the day it lands.
There’s no workaround that disables the vulnerable code path. Patching is genuinely the only fix.
The Bottom Line
Bad Epoll is a good reminder that “AI-audited” doesn’t mean “AI-cleared.” Anthropic’s Mythos caught one serious kernel bug in this code. A human researcher caught the one it left behind, and it turned out to be the more dangerous of the two. For Android users specifically, the fix is unglamorous — update your phone — but the stakes are real, since this is one of the small handful of bugs that can actually root a modern Android device from the inside.
FAQ SECTION
Q1: What is the Bad Epoll vulnerability? A1: Bad Epoll is a Linux kernel use-after-free bug, tracked as CVE-2026-46242, that lets an unprivileged local user gain root access. It sits inside the kernel’s epoll subsystem and affects Linux servers, desktops, and Android devices running kernel 6.4 or later.
Q2: Is my Pixel phone affected by Bad Epoll? A2: It depends on your kernel version. Pixel 8 and earlier devices run 6.1-based kernels and predate the bug, so they’re not affected. Current Pixel hardware, including the Pixel 10, runs 6.6-series kernels and is confirmed vulnerable.
Q3: Can Bad Epoll be exploited remotely? A3: No, it requires local code execution first, meaning an attacker needs a malicious app or process already running on the device. It’s not a remote, zero-click attack on its own, though it could theoretically be chained with a browser exploit.
Q4: How do I know if my Android device has the patch? A4: Check your device’s security patch level in Settings and compare it against your manufacturer’s most recent security bulletin. Since epoll can’t be disabled, the update is the only fix.
Q5: Why did Anthropic’s AI model miss this bug? A5: Mythos found a related bug, CVE-2026-43074, in the same code but missed Bad Epoll, likely because its exploit window is extremely narrow and it rarely triggers the kernel’s standard memory-error detector, leaving little evidence for automated tools to catch.
Q6: Is there a workaround if I can’t update right away? A6: Not really. Epoll is a core kernel component used across Android and Linux, so it can’t be disabled without breaking basic OS functionality. The only real fix is applying the patch.