Hourly ·
GhostLock: A Linux Kernel Bug That Sat Hidden in Plain Sight for 15 Years
Nebula Security's VEGA team discovered CVE-2026-43499, a stack use-after-free vulnerability affecting every major Linux distribution since 2011. No special privileges required — just regular threading syscalls.
A security research team has uncovered a Linux kernel vulnerability that persisted undetected for 15 years — and it affects every major distribution shipped since 2011.
Dubbed GhostLock (CVE-2026-43499), the bug is a stack use-after-free in the kernel's real-time mutex subsystem. Discovered by Nebula Security's VEGA team, it was introduced in Linux 2.6.39 and sat untouched until it was silently patched in Linux 7.1 this past April.
What makes GhostLock particularly dangerous is how little it asks of an attacker. Triggering the bug requires no special kernel configuration, no capabilities, and no user namespaces — just ordinary threading syscalls. Once triggered, it achieves a 97% stable privilege escalation and container escape. In short: an unprivileged user on a patched container can break out and take over the host.
Google rewarded the discovery with $92,337 through its kernelCTF bug bounty program, reflecting the severity of a bug that had been hiding in plain sight in one of the most scrutinized codebases on the planet.
The root cause lies in the remove_waiter() function in kernel/locking/rtmutex.c. On the normal code path, current->pi_blocked_on is correctly cleared. But on the proxy path — when rt_mutex_start_proxy_lock() enqueues a waiter on behalf of another task — the rollback code clears pi_blocked_on on the wrong task. The waiter task retains a dangling pointer to its own stack frame, which gets popped the moment it returns to userspace. Any subsequent PI chain walk through that pointer gives the attacker a kernel pointer to freed stack memory.
From there, the exploit chains together a prefetch-based ASLR leak, a controlled write primitive, and a function table hijack to achieve full root access.
The fix, commit 3bfdc63936dd, changes one line: use waiter->task instead of current in remove_waiter(). Fifteen years, one line.
Every Linux distribution running a kernel between 2.6.39 and 7.1 without the backported patch is affected. Administrators should update to the latest LTS kernel immediately.
Sources: Nebula Security, SecurityWeek, Linux Kernel Commit
GhostLock:一个潜伏了15年的Linux内核漏洞
nebula security的VEGA团队发现CVE-2026-43499,自2011年以来影响每个主要Linux[5D[K Linux发行版的栈使用后自由化漏洞。无需特殊权限——只需常规线程调用。
Linux内核一个长达15年的隐藏漏洞:GhostLock,被Nebula Security团队发现为CVE-[4D[K CVE-2026-43499。这是自2011年以来所有主要的Linux发行版都受此影响的一个堆栈使[K 用后未释放(use-after-free)漏洞。无需特殊权限,只需普通的线程系统调用即可利[K 用。安全研究团队揭露了一个Linux内核漏洞:GhostLock
More Hourlies Stories
Content on Anagnorisis is summarized, paraphrased, and editorialized from publicly available sources for length and clarity. Original sources are linked where available. All trademarks belong to their respective owners.
