anagnorisis.cloudSign in

← Hourlies

Hourly ·

Anthropic's Mythos AI Missed 'Bad Epoll' — a 99%-Reliable Linux Root Exploit Hiding in Code It Already Reviewed

Anthropic's Project Glasswing found one race condition in the Linux kernel's epoll subsystem — but missed its sibling, now public as CVE-2026-46242 with a working exploit that succeeds 99% of the time against kernels v6.4 and later.

Anthropic's Mythos AI Missed 'Bad Epoll' — a 99%-Reliable Linux Root Exploit Hiding in Code It Already Reviewed

Anthropic's Project Glasswing found one race condition in the Linux kernel's epoll subsystem — but missed its sibling, now public as CVE-2026-46242 with a working exploit that succeeds 99% of the time against kernels v6.4 and later.

Anthropic's Project Glasswing found one race condition in the Linux kernel's epoll subsystem — but missed its sibling, now public as CVE-2026-46242 with a working exploit that succeeds 99% of the time against kernels v6.4 and later.

A Linux kernel race condition disclosed July 3, 2026 lets any unprivileged local user escalate to root with 99% reliability — and epoll, the subsystem where it hides, cannot be disabled without breaking the operating system.

The vulnerability, CVE-2026-46242, lives in ep_remove(), the cleanup function for Linux's core I/O event notification mechanism. When two epoll file descriptors are configured to watch each other and both closed nearly simultaneously, a use-after-free opens a path to arbitrary kernel writes. Researcher Jaeyoung Chung's exploit chains an eight-byte UAF into a full file-object corruption, then hijacks control flow through a ROP chain — landing root on kernelCTF targets 99 times out of 100.

What makes Bad Epoll different from the flood of 2026 kernel bugs is the AI subplot. The same 2,500-line epoll code path was previously examined by Anthropic's Mythos model under Project Glasswing. Mythos found CVE-2026-43074 — a sibling race condition in the same code — and it was patched in April. But the patch silenced the KASAN runtime detector that might have flagged Bad Epoll, and Mythos never found the second bug. The race window is only six instructions wide, and reasoning about concurrent execution paths remains a hard problem for both human auditors and frontier AI.

Android is in scope. Devices running kernel v6.6 or later — including the Pixel 10 — are vulnerable. Chung's team confirmed proof-of-concept memory corruption on the Pixel 10, with a full root exploit under development. Bad Epoll can also be triggered from inside Chrome's renderer sandbox, a path that blocks nearly all other kernel exploits.

The patch (commit a6dc643c6931) has been in mainline since April 24 but sat unannounced for 70 days before the public writeup dropped. Many distributions have not yet shipped backports. There is no workaround — epoll is fundamental to every network service, browser, and Android application. Hardening with KASLR and SELinux buys time; only the patch closes the hole.

The broader context is stark. As of late May 2026, Project Glasswing had disclosed 1,596 vulnerabilities across 281 open-source projects — and only 97 had been patched. Bad Epoll is a bug that made it through the pipeline. The 1,499 others are still waiting.

Sources: TechTimesBad Epoll Exploit (GitHub)

More Hourlies Stories

Content on Anagnorisis is summarized, paraphrased, and editorialized from publicly available sources for length and clarity. Original sources are linked where available. All trademarks belong to their respective owners.

More Hourlies Stories

Content on Anagnorisis is summarized, paraphrased, and editorialized from publicly available sources for length and clarity. Original sources are linked where available. All trademarks belong to their respective owners.

More Hourlies Stories

Content on Anagnorisis is summarized, paraphrased, and editorialized from publicly available sources for length and clarity. Original sources are linked where available. All trademarks belong to their respective owners.

More from Anagnorisis