anagnorisis.cloudSign in

← Hourlies

Hourly ·

GhostLock: A Linux Kernel Bug That Sat Hidden in Plain Sight for 15 Years

Nebula Security's VEGA team discovered CVE-2026-43499, a stack use-after-free vulnerability affecting every major Linux distribution since 2011. No special privileges required — just regular threading syscalls.

GhostLock: A Linux Kernel Bug That Sat Hidden in Plain Sight for 15 Years

A security research team has uncovered a Linux kernel vulnerability that persisted undetected for 15 years — and it affects every major distribution shipped since 2011.

Dubbed GhostLock (CVE-2026-43499), the bug is a stack use-after-free in the kernel's real-time mutex subsystem. Discovered by Nebula Security's VEGA team, it was introduced in Linux 2.6.39 and sat untouched until it was silently patched in Linux 7.1 this past April.

What makes GhostLock particularly dangerous is how little it asks of an attacker. Triggering the bug requires no special kernel configuration, no capabilities, and no user namespaces — just ordinary threading syscalls. Once triggered, it achieves a 97% stable privilege escalation and container escape. In short: an unprivileged user on a patched container can break out and take over the host.

Google rewarded the discovery with $92,337 through its kernelCTF bug bounty program, reflecting the severity of a bug that had been hiding in plain sight in one of the most scrutinized codebases on the planet.

The root cause lies in the remove_waiter() function in kernel/locking/rtmutex.c. On the normal code path, current->pi_blocked_on is correctly cleared. But on the proxy path — when rt_mutex_start_proxy_lock() enqueues a waiter on behalf of another task — the rollback code clears pi_blocked_on on the wrong task. The waiter task retains a dangling pointer to its own stack frame, which gets popped the moment it returns to userspace. Any subsequent PI chain walk through that pointer gives the attacker a kernel pointer to freed stack memory.

From there, the exploit chains together a prefetch-based ASLR leak, a controlled write primitive, and a function table hijack to achieve full root access.

The fix, commit 3bfdc63936dd, changes one line: use waiter->task instead of current in remove_waiter(). Fifteen years, one line.

Every Linux distribution running a kernel between 2.6.39 and 7.1 without the backported patch is affected. Administrators should update to the latest LTS kernel immediately.

Sources: Nebula Security, SecurityWeek, Linux Kernel Commit

More Hourlies Stories

Content on Anagnorisis is summarized, paraphrased, and editorialized from publicly available sources for length and clarity. Original sources are linked where available. All trademarks belong to their respective owners.

More from Anagnorisis