anagnorisis.cloudSign in

← Hourlies

Hourly ·

GhostLock: 15-Year-Old Linux Kernel Bug Found in Every Distribution, Earns $92K Bounty

GhostLock (CVE-2026-43499), a stack use-after-free in the Linux kernel's rtmutex subsystem that enables container escape and privilege escalation without any special privileges, earned Nebula Security a $92,337 kernelCTF bounty from Google after lurking in every major distribution since 2011.

GhostLock: 15-Year-Old Linux Kernel Bug Found in Every Distribution, Earns $92K Bounty

A vulnerability lurking in the Linux kernel for 15 years has been discovered, patched, and rewarded with one of the largest kernelCTF bounties to date.

Nebula Security researchers revealed GhostLock (CVE-2026-43499) — a stack use-after-free in the kernel's rtmutex subsystem first introduced in Linux 2.6.39. The bug affects every major distribution released between 2011 and April 2026, when it was finally patched in Linux 7.1-rc1.

The root cause is subtle. In the proxy-lock rollback path used by FUTEX_CMP_REQUEUE_PI, the remove_waiter() function cleared pi_blocked_on on the requeuing thread instead of the sleeping thread. This left a dangling kernel pointer that any unprivileged local attacker could exploit using nothing more than standard threading syscalls. No capabilities, no user namespaces, and no exotic kernel configuration are required — just CONFIG_FUTEX_PI=y, which is enabled by default on virtually every Linux system.

Nebula Security's automated vulnerability discovery tool, VEGA, identified the flaw and chained it into a 97% stable privilege escalation and container escape exploit. Google's kernelCTF program awarded the team $92,337 for the discovery.

The implications span the entire Linux ecosystem. Every cloud virtual machine, container host, and Android device running an unpatched kernel is potentially affected. Commenters on Hacker News noted the bug provides a straightforward path to rooting any Android phone, and at least one researcher reported chaining GhostLock with a separate browser zero-day to achieve remote code execution on arbitrary targets.

The fix — changing a single line in remove_waiter() to reference waiter->task instead of current — was authored by Keenan Dong and committed by kernel maintainer Thomas Gleixner in April 2026. The simplicity of the patch, set against the 15-year lifespan of the bug, highlights how certain kernel subsystems can evade scrutiny even as they underpin the security of billions of devices.

Sources: Nebula Security, Linux Kernel Patch

More Hourlies Stories

Content on Anagnorisis is summarized, paraphrased, and editorialized from publicly available sources for length and clarity. Original sources are linked where available. All trademarks belong to their respective owners.

More from Anagnorisis