Bad Epoll was introduced in 2023 in a commit that also introduced CVE-2026-43074, another race condition in the epoll code that was found by Anthropic’s Mythos. Mythos likely missed it because, with CVE-2026-43074 fixed, Bad Epoll doesn’t trigger KASAN (Kernel Address Sanitizer), the Linux kernel’s dynamic memory error detector.
| Vendor | Product | Versions |
|---|---|---|
| linux | linux_kernel | 58c9b016e12855286370dfb704c08498edbc857a, 58c9b016e12855286370dfb704c08498edbc857a, 58c9b016e12855286370dfb704c08498edbc857a, 58c9b016e12855286370dfb704c08498edbc857a, 58c9b016e12855286370dfb704c08498edbc857a, f2451def095c1743adcfcb0cb5dadc86034e162a, a1f93804449d13f97dabd4b996817de4bf1ed67a, 5.15.209, 6.1.175, 6.4, 6.6 |
Downstream vendors/products affected by this vulnerability
| Vendor | Product | Source | Confidence |
|---|---|---|---|
| open source | linux kernel | cert_advisory | 90% |
Added affected versions 6.4 and 6.6, included CVE-2026-43074 in tags, and provided additional technical details in the description.
Added detailed technical description of the vulnerability, included new affected version 6.6, and added CVE-2026-43074 as a related tag.
Updated description to include the impact of the vulnerability on unprivileged users and added a new tag 'Bad Epoll'.
Updated severity to CRITICAL, added affected versions 6.18.32 and 7.0.9, and noted that no exploit is available.
Initial creation