A newly disclosed Linux kernel flaw called Bad Epoll (CVE-2026-46242) lets any unprivileged user gain root access on desktops, servers, and Android. A fix is available, so update now.
A newly disclosed Linux kernel flaw called Bad Epoll (CVE-2026-46242) lets an ordinary user with no special access take full control of a machine as root. It affects Linux desktops, servers, and Android, and a fix is out.
Bad Epoll sits in the same small stretch of kernel code where Anthropic's most powerful AI model, Mythos, recently found a different bug. The AI caught one flaw and missed another. That’s a reminder that even the smartest machines don’t catch everything.
### What Is Bad Epoll and Why Should You Care?
Bad Epoll is a vulnerability in the Linux kernel’s epoll system call. Epoll is used for managing many file descriptors at once, like when a web server handles thousands of connections. The flaw lets an attacker with no special privileges escalate to root access. That means they can take over your entire machine.
Think of it like a lock on your front door that looks secure but has a hidden flaw. Anyone who knows the trick can just walk in. For Linux users, that’s a big deal. It affects everything from your home desktop to massive cloud servers and even Android phones.
The fix is already available, so updating your kernel is critical. If you’re running a Linux-based system, don’t wait. Apply the patch now.
### How Does the Attack Work?
The exploit targets the epoll subsystem in the kernel. It uses a race condition to gain elevated privileges. A race condition happens when two processes try to access the same resource at the same time, and the system doesn’t handle it properly. This flaw lets an attacker manipulate that timing to break out of user restrictions.
Here’s a simple breakdown:
- The attacker runs a normal program on the target machine.
- That program uses epoll in a specific way to trigger the race condition.
- Once triggered, the attacker can execute code with root privileges.
- From there, they can install malware, steal data, or take full control.
This is especially dangerous on Android because many devices don’t get timely security updates. If you’re using an older Android phone, you might be vulnerable for a long time.
### Who Is Affected?
Almost everyone running Linux is at risk. That includes:
- Desktop users on Ubuntu, Fedora, Debian, and other distributions.
- Server administrators running Linux-based web servers, databases, or cloud instances.
- Android users, since Android uses a modified Linux kernel.
If you’re not sure whether your system is affected, check your kernel version. The flaw was introduced in kernel version 5.10 and fixed in version 6.8. Any system running a kernel between those versions is vulnerable unless a backported patch has been applied.
### What Can You Do About It?
First, update your kernel. Most major distributions have already released patches. Run your package manager and install the latest updates. For Ubuntu, that’s `sudo apt update && sudo apt upgrade`. For Fedora, it’s `sudo dnf upgrade`. On Android, check for system updates in your settings.
Second, if you’re a developer or sysadmin, review your security practices. This flaw highlights how even well-tested code can hide serious bugs. Consider using tools like kernel live patching to apply critical fixes without rebooting.
Third, be cautious about running untrusted code on your system. While the exploit requires local access, many attacks start with a user downloading a malicious file or visiting a compromised website.
### The Bigger Picture: AI vs. Human Security
It’s interesting that Anthropic’s AI found one bug in the same code area but missed this one. That shows both the promise and limitations of AI in cybersecurity. AI can scan millions of lines of code quickly, but it still misses subtle flaws that humans might catch. The best approach is a combination of both.
For now, the immediate priority is patching. Don’t assume you’re safe just because you’re using Linux. Take action today.