What Bad Epoll does and who is exposed

Bad Epoll is a use-after-free race in epoll, the standard Linux facility that lets a program watch many files and connections at once. When two eventpoll lists monitor each other and are closed at the same moment, one frees an internal object while the other is still writing to it, and that brief collision lets an unprivileged process corrupt kernel memory and climb to root. The public exploit leaks kernel memory, hijacks an indirect call, and builds a return-oriented chain to a root shell.

The exposure is broad. Any Linux system on a kernel based on version 6.4 or newer is affected until patched, which covers desktops, servers, and Android handsets such as the Pixel 10 on kernel 6.6. Kernels on the older 6.1 line are not affected, because the flaw was introduced in a 2023 change that landed in 6.4. There is no in-the-wild exploitation reported yet, but with working code on GitHub the window between publication and abuse is short, and epoll is used everywhere, so it cannot simply be switched off.

The bug an AI auditor did not catch

The sharper lesson sits in how the bug was found. Both Bad Epoll and its sibling, CVE-2026-43074, trace back to the same single 2023 edit to the epoll code. An automated code auditor caught the first of the pair earlier in 2026, and its fix landed. It did not catch Bad Epoll. That one was found the old way, by a human: Jaeyoung Chung of Seoul National University reported it to Google's kernelCTF as a zero-day submission on 6 July 2026, with an exploit reliable enough to be described as near-certain.

Read that carefully before you conclude AI has closed the kernel bug hunt. Machine review is genuinely useful and it removed one live root bug from the tree. But a single risky commit produced two exploitable flaws, the automated pass took one and left the other, and the one it left was the one that gives root. AI review raises the baseline; it does not turn patching into an optional step, and it does not mean a commit it has blessed is clean.

What to patch this week

The fix has been in the mainline kernel since 24 April, as upstream commit a6dc643c6931, but that is not the same as the fix reaching your machines. Many distributions have not yet backported it, so the real risk lives in the gap between mainline-fixed and fleet-patched. Apply your distribution's latest kernel update as soon as it ships, and on Pixel 10 and other devices on kernel 6.6 apply Google's security update when available.

Prioritise by who can log in. The danger of a local-to-root bug is highest where untrusted or many users share a host: shared hosting, continuous-integration runners, multi-tenant containers, and developer boxes where a single compromised account should not become the whole machine. Check your kernel version, treat anything on 6.4 or later as exposed until patched, and use this as a prompt to review other fixes that came out of the same 2023 epoll change.