Hourly ·
GhostLock: 15-Year-Old Linux Kernel Bug Found in Every Distribution, Earns $92K Bounty
GhostLock (CVE-2026-43499), a stack use-after-free in the Linux kernel's rtmutex subsystem that enables container escape and privilege escalation without any special privileges, earned Nebula Security a $92,337 kernelCTF bounty from Google after lurking in every major distribution since 2011.
A vulnerability lurking in the Linux kernel for 15 years has been discovered, patched, and rewarded with one of the largest kernelCTF bounties to date.
Nebula Security researchers revealed GhostLock (CVE-2026-43499) — a stack use-after-free in the kernel's rtmutex subsystem first introduced in Linux 2.6.39. The bug affects every major distribution released between 2011 and April 2026, when it was finally patched in Linux 7.1-rc1.
The root cause is subtle. In the proxy-lock rollback path used by FUTEX_CMP_REQUEUE_PI, the remove_waiter() function cleared pi_blocked_on on the requeuing thread instead of the sleeping thread. This left a dangling kernel pointer that any unprivileged local attacker could exploit using nothing more than standard threading syscalls. No capabilities, no user namespaces, and no exotic kernel configuration are required — just CONFIG_FUTEX_PI=y, which is enabled by default on virtually every Linux system.
Nebula Security's automated vulnerability discovery tool, VEGA, identified the flaw and chained it into a 97% stable privilege escalation and container escape exploit. Google's kernelCTF program awarded the team $92,337 for the discovery.
The implications span the entire Linux ecosystem. Every cloud virtual machine, container host, and Android device running an unpatched kernel is potentially affected. Commenters on Hacker News noted the bug provides a straightforward path to rooting any Android phone, and at least one researcher reported chaining GhostLock with a separate browser zero-day to achieve remote code execution on arbitrary targets.
The fix — changing a single line in remove_waiter() to reference waiter->task instead of current — was authored by Keenan Dong and committed by kernel maintainer Thomas Gleixner in April 2026. The simplicity of the patch, set against the 15-year lifespan of the bug, highlights how certain kernel subsystems can evade scrutiny even as they underpin the security of billions of devices.
Sources: Nebula Security, Linux Kernel Patch
GhostLock:Linux内核中的15年-old漏洞存在于每个发行版中,赢得92万美元悬赏
GhostLock (CVE-2026-43499),Linux内核rtmutex子系统中的一个栈后使用漏洞,允许[K 容器逃逸和提升权限,无需任何特殊权限。 Nebula Security在Google的 kernelCTF [K 奖池中赢得了92,337美元 bounty,这是自2011年以来该漏洞一直存在于所有主要发行[K 版中的结果。
黑客锁:Linux内核15年漏洞在每种发行版中发现,获谷歌92337美元赏金 [2026-07-13 08:00 UTC] 黑客锁 (CVE-2026-43499) 是一个位于Linux内核rtmutex子系统中的堆使用后自由漏洞[K 。该漏洞允许容器逃逸和无需特殊权限的特权提升。Nebula Security在发现了这个漏[K 洞并在每个主要发行版中持续存在之后,从谷歌获得了92,337美元的内核CTF赏金。
More Hourlies Stories
Content on Anagnorisis is summarized, paraphrased, and editorialized from publicly available sources for length and clarity. Original sources are linked where available. All trademarks belong to their respective owners.
