Follow Cyber Kendra on Google News! | WhatsApp | Telegram

Add as a preferred source on Google

15-Year-Old Linux Kernel Bug 'GhostLock' Lets Any Local User Seize Root, Break Out of Containers

GhostLock (CVE-2026-43499), a 15-year-old Linux kernel bug, lets local users gain root and escape containers. Here's how it works.

CVE-2026-43499 - GhostLock flaw

A privilege-escalation flaw that has quietly sat inside the Linux kernel since 2011 has finally been exposed — and it hands root access to any unprivileged local user with nothing more than ordinary threading system calls.

Tracked as CVE-2026-43499 and named GhostLock, the bug was discovered by researcher VEGA at Nebula Security, who detailed the find in a technical write-up. The flaw earned a $92,337 payout through Google's kernelCTF bounty program after VEGA built an exploit chain with a reported 97% success rate — reliable enough to be considered a near-guaranteed win in real-world conditions.

GhostLock lives in the kernel's rtmutex (real-time mutex) code, which manages priority inheritance for locks. A cleanup function called remove_waiter() was written under the assumption that the thread cleaning up a lock is always the same thread that's waiting on it. 

A feature called Requeue-PI broke that assumption years ago, allowing one thread to clean up for another — but the code was never updated to reflect that. The result: a use-after-free bug, where the kernel keeps a pointer to a chunk of stack memory that's already been freed and reused, sitting on a sleeping thread's own stack.

By racing a handful of futex (fast userspace mutex) calls, an attacker can reclaim that freed memory, forge a fake internal structure, and turn the dangling pointer into a controlled write to kernel memory. VEGA's exploit ultimately hijacks a networking function table triggered by a simple loopback UDP packet, then flips a permission bit on core_pattern — the file governing crash-dump behavior — to get code executing as root.

The affected code range spans kernel versions 2.6.39 through 7.1, meaning virtually every mainstream Linux distribution shipped in the last decade and a half carries the vulnerable path, with no special kernel configuration or capabilities required to exploit it. That makes it especially dangerous in shared and cloud environments, where the same bug also enables container escapes.

The fix, merged as commit 3bfdc63936dd, corrects remove_waiter() to clean up the actual waiting task instead of the calling one. Enabling RANDOMIZE_KSTACK_OFFSET also disrupts the exploit's stack-reuse step, while STATIC_USERMODE_HELPER blocks the specific privilege-escalation path VEGA used. Administrators are urged to patch to the latest LTS kernel release without delay.

Post a Comment