Bad Epoll: The bug missed by Mythos

I am excited to introduce Bad Epoll (CVE-2026-46242), a Linux kernel vulnerability that I reported and exploited as a 0-day submission to Google kernelCTF. Bad Epoll is a race-condition use-after-free in the Linux kernel's epoll subsystem. This bug lets an unprivileged process become root, not only on Linux desktops and servers but also on Android devices.

Anthropic's Mythos found another race bug in the same epoll code, but missed Bad Epoll.

For more details, see badepoll.com.

Questions or feedback? Contact me at jjy600901@snu.ac.kr.