News
Anthropic's AI Found One Linux Kernel Flaw, Missed Another Right Next to It
Anthropic's Mythos model found one critical vulnerability in the Linux kernel's epoll code, but missed an adjacent flaw called Bad Epoll that a researcher used to gain root access in 99 percent of attempts.
Contents
Anthropic's Mythos AI model analyzed roughly 2,500 lines of code in the Linux kernel's epoll subsystem and uncovered a serious security vulnerability, tracked as CVE-2026-43074. A few lines further down, in the same section of code, it missed a second flaw of equal severity. It took researcher Jaeyoung Chung to find it and turn it into a working exploit that succeeds in nearly every attempt.
How the Bad Epoll Flaw Works
Epoll is a Linux kernel mechanism used by nearly every modern system service, web browser, and Android app to monitor multiple files and network connections at once. The bug, introduced by a 2023 code change, is a race between two kernel code paths that clean up the same internal object at the same time: one frees the memory while the other is still writing to it in that same instant.
The result is a classic use-after-free bug that lets any unprivileged local user escalate to root. Exploiting it requires hitting a window just six processor instructions wide, which should theoretically make it hard to pull off. In practice, researcher Jaeyoung Chung built a proof-of-concept that runs reliably in around 99 percent of attempts on the systems he tested.
Why the AI Missed the Flaw Right Next Door
The most striking part of the story is that Mythos, the Anthropic model used for automated kernel code audits, examined that very same section of epoll and found a different, related race-condition bug (CVE-2026-43074) before anyone spotted Bad Epoll. The model clearly scrutinized that area of code closely enough to catch a bug of the same type, yet still missed the flaw sitting right next to it.
Security analysts point to two likely reasons. First, the race window in Bad Epoll is extremely narrow, about six instructions, which makes it hard for the model to reason through the exact thread interleaving from source code analysis alone. Second, after the first flaw was patched, the use-after-free in Bad Epoll typically doesn't trigger KASAN, the kernel's main runtime tool for catching memory bugs, so there was no behavioral evidence to point the model toward it.
The team has since rolled out stronger protections, and we had long planned to deprecate this - Thariq Shihipar, Anthropic
What It Means for AI Code Auditing
The Bad Epoll case doesn't undermine the case for using AI models to hunt for security flaws, since Mythos did find a race-condition bug, a task notoriously hard even for experienced human auditors. But it shows that current models have blind spots when it comes to extremely narrow timing windows and bugs that leave no trace in standard detection tools like KASAN. That's a meaningful signal for companies starting to lean on automated AI audits as a substitute for, rather than a complement to, human review.
So far there's no evidence the flaw has been exploited in real-world attacks. It doesn't appear on CISA's list of known exploited vulnerabilities, and the only working code is the public proof-of-concept from the kernelCTF program. Patches are already available in commit a6dc643c6931, and Linux and Android system administrators are urged to update as soon as possible, especially since the bug could theoretically be chained with a separate browser vulnerability to escape the Chrome sandbox.
For Polish security teams and Linux system administrators, the takeaway is straightforward: patching epoll should be a high priority, regardless of the fact that one of the two related flaws was caught by AI and the other wasn't. The episode also shows that reports from models like Mythos are best treated as one piece of an audit, not a guarantee that a review of critical kernel code is complete.
Sources: The Hacker News (thehackernews.com), Tech Times (techtimes.com), Notebookcheck Polska (notebookcheck.pl), Security Affairs (securityaffairs.com)

