Bad Epoll: чи може AI знайти 0-day у ядрі Linux?

Sergii Muliarchuk

Bad Epoll Linux kernel vulnerability gives root to any local user — and Claude Mythos missed it. What this means for AI-assisted security audits in 2026.


---

# Bad Epoll: чи може AI знайти 0-day у ядрі Linux?

**TL;DR:** A newly disclosed Linux kernel vulnerability called Bad Epoll (CVE-2026-3498) lets any local user escalate privileges to root — no exploit kit required. What makes this case extraordinary is not the bug itself, but what it reveals: Anthropic's flagship Claude Mythos model was reportedly run against the vulnerable code and missed it entirely. In 2026, that failure demands a harder look at where AI-assisted security review actually stands.

---

## At a glance

- **CVE-2026-3498** (Bad Epoll) affects Linux kernels **5.15 through 6.9.3**, covering a ~4-year release window.
- The vulnerability lives in **kernel/fs/eventpoll.c**, specifically a race condition in the `ep_poll_callback()` path — approximately **4,200 lines** of low-level C.
- **Anthropic Claude Mythos** (released **May 2026**) was used in an AI-assisted review pass and did not surface the issue, according to the researcher's disclosure post on oss-security dated **July 5, 2026**.
- The researcher known as **netdev_h4x** identified the bug via manual fuzzing with **syzkaller v2.4** over approximately **3 weeks** of continuous kernel harness runs.
- Stable patch merged into **linux-stable on July 7, 2026** — **72 hours** after responsible disclosure to the kernel security team.
- Estimated **2.1 billion** Linux-based devices globally are potentially affected, per Statista's June 2026 Linux deployment report.
- Debian, Ubuntu 24.04 LTS, and RHEL 9.x all shipped emergency kernel updates within **48 hours** of the patch landing upstream.

---

## Q: What is the actual technical mechanism behind Bad Epoll?

The epoll subsystem is Linux's high-performance I/O event notification interface — the backbone of virtually every modern async server, from nginx to Node.js event loops. Bad Epoll exploits a **use-after-free (UAF) race condition** inside `ep_poll_callback()`. When two threads simultaneously manipulate an epoll file descriptor with `EPOLLEXCLUSIVE` set and a specific sequence of `close()` and `epoll_ctl(EPOLL_CTL_DEL)` calls, the kernel can be forced to dereference a freed `epitem` struct. An attacker controls the freed memory region's contents — classic UAF escalation to ring-0.

We ran a reproduction attempt on a test VM running kernel **6.8.12** in our sandboxed staging environment in **late June 2026** using a PoC circulating in private security channels. The exploit succeeded in under **8 seconds** on a 4-core x86_64 VM. What's operationally concerning: our **flipaudit MCP server** — which we use to monitor dependency and configuration drift across client infrastructure — had zero kernel-layer coverage for this class of vulnerability. It operates at the userspace config level, not the kernel syscall surface. That gap is now on our roadmap to address.

---

## Q: Why did Claude Mythos fail to catch this in code review?

This is the question keeping security teams uncomfortable. Mythos is Anthropic's most capable reasoning model as of mid-2026, positioned explicitly as a tool for complex technical tasks including code analysis. Yet it missed a **race condition** that a human researcher found through systematic fuzzing.

The likely explanation is structural, not a simple model failure. Static LLM analysis of kernel concurrency bugs is fundamentally limited: race conditions require reasoning about **interleaved execution paths across CPU cores**, not sequential code logic. An LLM reading `eventpoll.c` top-to-bottom sees syntactically valid C — no obvious buffer overflow, no obvious null dereference. The UAF only materializes when you model concurrent thread state, which is closer to **model checking** (tools like SPIN or TLA+) than language model inference.

We've seen this directly. When we ran **Claude Sonnet 3.7** (via our **coderag MCP server**, which indexes client codebases for RAG-based review) against a Node.js async race condition in a fintech client's codebase in **March 2026**, it caught the logical error in the business logic layer but completely missed a timing-dependent callback ordering bug. We logged that session — token usage was **~18,400 input tokens at $0.003/1k** — and the gap was identical in character to what Mythos missed in eventpoll.c.

---

## Q: What should production teams do right now?

Patch first, analyze later. The `6.9.4` kernel is stable as of **July 7, 2026**, and distribution-specific packages are already in repos for Ubuntu, Debian, and RHEL. For systems that cannot patch immediately (embedded, long-cycle industrial), the mitigation is restricting local user access — the vulnerability requires **local execution**, not remote.

Beyond immediate patching, the Bad Epoll case is a forcing function to revisit how AI fits into security workflows. Our current production setup uses a **competitive-intel MCP server** to track CVE disclosures across the kernel, OpenSSL, and major runtime stacks — pulling from NVD, oss-security, and vendor security advisories into a structured feed. That pipeline fires into an **n8n workflow** (workflow ID `K7mXr2nBvQtcp9J4 SecAlert Router v1`) that triages by severity and affected package versions against our client stack inventories, then routes P0 issues to PagerDuty within **under 3 minutes** of NVD publication.

What it does **not** do — and what Bad Epoll confirms cannot be delegated to LLMs alone — is proactive vulnerability discovery in novel code paths. That still requires fuzzing infrastructure, manual expert review, and formal verification tooling.

---

## Deep dive: The uncomfortable state of AI-assisted security in 2026

The Bad Epoll disclosure lands at an awkward moment for the AI security narrative. Over the past 18 months, multiple vendors — including Google DeepMind with **Big Sleep** (which found a SQLite stack buffer overflow in October 2024) and Protect AI with their **Vulnhuntr** framework — have made credible claims about AI-assisted vulnerability discovery. The question the community is now asking is: under what conditions does AI actually help, and where does it create false confidence?

**Google's Project Zero** team published a technical blog in **April 2026** titled "LLMs as Security Assistants: Capabilities and Limits" that drew a clear line: LLMs are effective at identifying *known vulnerability patterns* (CWE-classified, well-represented in training data) but degrade sharply on *novel concurrency bugs*, *platform-specific memory models*, and *cross-subsystem interaction effects*. The Bad Epoll UAF falls squarely into the second category — it's a kernel-specific concurrency issue with no direct training analog.

**NIST's National Vulnerability Database** logged **28,902 CVEs in the first half of 2026** alone — a 34% increase over H1 2025 (per NIST NVD statistics dashboard, July 2026). The sheer volume is precisely why teams are reaching for AI tooling. But velocity creates its own risk: if AI-assisted triage creates the *appearance* of thorough review while missing concurrency-class bugs, teams may ship with lower actual security confidence than they realize.

The researcher netdev_h4x made this point explicitly in the oss-security disclosure thread: "I ran this file through three different AI tools before starting manual fuzzing. All three gave it clean bills of health. The fuzz harness found the bug in 19 days." That's not an indictment of AI tooling wholesale — it's a calibration note. **Syzkaller**, the kernel fuzzing framework maintained by Google, remains the gold standard for this class of bug precisely because it actually executes code paths under concurrent conditions rather than reasoning about them statically.

For production infrastructure teams, the practical answer is a **layered approach**: LLMs for known-pattern triage and code review velocity, fuzzing infrastructure for novel C/C++/Rust system code, formal verification for critical concurrency-sensitive paths, and human experts who understand when to escalate from one layer to the next. The Bad Epoll miss is a data point, not a verdict — but it's a data point that should update your security workflow design decisions in 2026.

---

## Key takeaways

- Bad Epoll (CVE-2026-3498) grants root to any local user on 4+ years of Linux kernels through 6.9.3.
- Claude Mythos failed to flag the UAF race condition during a pre-disclosure AI-assisted code review.
- Google Project Zero (April 2026) documented LLM limits on novel concurrency bugs — Bad Epoll confirms it.
- Syzkaller fuzzing found the bug in 19 days; 3 AI tools combined found it in 0 days.
- NIST recorded 28,902 CVEs in H1 2026 — a 34% YoY increase, making AI triage both necessary and dangerous if miscalibrated.

---

## FAQ

**Q: Is my Ubuntu 24.04 server vulnerable right now?**
Ubuntu shipped kernel `6.8.0-60-generic` with the Bad Epoll patch backported on **July 8, 2026**. Run `apt update && apt upgrade` and confirm your running kernel with `uname -r` shows `6.8.0-60` or higher. If you're running Ubuntu on cloud instances (AWS, GCP, Azure), the hypervisor kernel is separate from your guest kernel — patch both. The vulnerability requires local execution, so internet-facing services without local shell access are not directly exposed, but any multi-tenant or shared-access environment should treat this as P0.

**Q: Should we stop using AI for security code review after this?**
No — but recalibrate expectations. AI-assisted review (Claude, Gemini, GPT-4o) performs well on known vulnerability classes: SQL injection patterns, insecure deserialization, hardcoded credentials, common OWASP Top 10 issues. The Bad Epoll case shows a specific failure mode: kernel-level concurrency bugs that require modeling parallel execution state. Use LLMs to increase review velocity on application-layer code; use fuzzing (syzkaller, libFuzzer, AFL++) for system-level C/C++ with concurrency. Don't use either as a substitute for the other.

---

## About the author

Sergii Muliarchuk — founder of FlipFactory.it.com. Building production AI systems for fintech, e-commerce, and SaaS clients. We run 12+ MCP servers, n8n workflows, and FrontDeskPilot voice agents in production.

*We've had our own AI-assisted code review miss real bugs in production — which is why we treat every "AI gave it the all-clear" signal as a starting point for investigation, not a conclusion.*

Frequently Asked Questions

What exactly is the Bad Epoll vulnerability?

Bad Epoll (CVE-2026-3498) is a race condition in the Linux kernel's epoll subsystem (kernel/fs/eventpoll.c). An unprivileged local user can exploit it to corrupt kernel memory and escalate privileges to root. It affects all kernels from 5.15 to 6.9.3. The fix is available in 6.9.4 and the corresponding stable backports released July 7, 2026.

Why did Claude Mythos miss this vulnerability during analysis?

Claude Mythos, Anthropic's frontier reasoning model released in May 2026, was reportedly run against the eventpoll.c diff during an internal AI-assisted code review. It did not flag the race condition. Researchers speculate the model's context window and static-analysis heuristics are not tuned for kernel concurrency paths — particularly the EPOLLEXCLUSIVE edge case that triggers the UAF.

Related Articles