TL;DR
- what: Nebula Security disclosed GhostLock (CVE-2026-43499), a 15-year-old use-after-free in the Linux kernel's futex priority-inheritance cleanup path, and published working exploit code.
- impact: Any logged-in local user can gain full root and escape containers in roughly five seconds with 97% reliability, and chained behind a Firefox exploit it becomes a remote compromise.
- fix: There is no complete workaround; install your distribution's current kernel with commit 3bfdc63936dd, and confirm it also carries the follow-up fix for the crash bug CVE-2026-53166.
- who: Every mainstream Linux distribution built since 2011 is affected, with shared and multi-tenant hosts, cloud servers, containers, and CI runners at highest risk.
Nebula Security has disclosed GhostLock (CVE-2026-43499), a 15-year-old Linux kernel use-after-free that lets any logged-in user take full root control of an unpatched machine. The vulnerable code has shipped by default in essentially every mainstream distribution since 2011. It needs no special permissions, no unusual settings, and no network access. Ordinary threading calls from any local program are enough. Nebula's working exploit is 97% reliable in testing, escapes containers, and reaches root in about five seconds. The exploit code is now public.
The bug scores 7.8 (high, not critical) only because the attacker must already be logged in. That gate is thinner than it sounds. On shared cloud servers, containers, and CI runners, a foothold is exactly what attackers already have or can cheaply buy. And Nebula has already chained GhostLock behind a browser exploit to turn it into a remote compromise.
How GhostLock works
The flaw lives in the kernel's futex priority-inheritance machinery, the system that keeps an urgent task from getting stuck behind a trivial one. Part of that system is a cleanup step that tidies up after a task stops waiting. In one rare path, where a lock operation hits a dead end and has to back out, the cleanup runs at the wrong moment and wipes the wrong task's record. The kernel is left holding a pointer to memory it has already freed and reused. Trusting that stale pointer is the entire bug: a classic use-after-free.
From there Nebula chained a handful of steps to escalate the dangling pointer into full control, ending by tricking the kernel into executing their code as root. The futex priority-inheritance code they exploited dates to 2011, old, heavily used machinery that few had reread in years. Nebula found it with VEGA, its AI-driven bug-hunting tool. Google awarded the team $92,337 through its kernelCTF bug-bounty program.
Patching is the only real fix
There is no complete workaround. The operations that trigger GhostLock are routine for any local process, so you cannot block them without breaking normal workloads. The fix is upstream commit 3bfdc63936dd, landed in April, and distributions are rolling it out now.
⚠️ Do not stop at the first patched build — The original fix introduced a separate crash bug (CVE-2026-53166), and the cleanup for that was still settling upstream in early July. Early patched kernels may lack the final version. Install your distribution's current kernel and confirm the fixed package version in the vendor advisory rather than assuming a patch is already waiting.
What to check now
- Patch shared and multi-tenant machines first: cloud servers, containers, and CI runners, where an attacker is most likely to find the local foothold this bug needs.
- Confirm the fixed package version against your distribution's advisory. As of early July, Ubuntu had patched its newest release and some cloud kernels but still listed 24.04, 22.04, and 20.04 LTS as vulnerable or in progress.
- Treat RANDOMIZE_KSTACK_OFFSET and STATIC_USERMODE_HELPER as hardening only. Both make the exploit harder; neither closes the hole.
- Verify container hosts specifically. GhostLock escapes containers, so a patched host kernel, not just a patched image, is what protects you.
Why a 'local only' bug still matters
GhostLock is the second half of a chain Nebula calls IonStack. The first half, CVE-2026-10702, is a Firefox flaw that runs code inside the browser and escapes its sandbox. GhostLock carries it the rest of the way to root. Nebula has demonstrated the full chain, from a single tap on a malicious link to full control, against Firefox on Android, with an Android write-up promised next. On its own the kernel bug needs a foothold. Bolted onto a browser exploit, it becomes remote.
Part of a 2026 pattern
GhostLock is not this year's only kernel-to-root bug, and several share a detail: an automated tool found them. Days before GhostLock, researchers disclosed Bad Epoll (CVE-2026-46242), a close cousin that also turns an unprivileged user into root and, unusually, works on Android; it sits in the same stretch of code where Anthropic's Mythos model was credited with a related flaw. The class is not theoretical either: Copy Fail (CVE-2026-31431) is already on CISA's Known Exploited Vulnerabilities list.
The takeaway — Old, heavily-used kernel code that nobody had reread in a decade is now being combed by AI bug-hunters, and the results are landing faster than distributions can ship patches. Assume the exploit is in attacker hands, prioritize multi-tenant and container hosts, and verify the fixed kernel version instead of trusting that an update exists.
No in-the-wild exploitation of GhostLock is known yet, but with public exploit code that window is closing. The five-second, 97%-reliable path to root is available to anyone who can log in. Patch accordingly.
Originally published on RedEye Threat Intelligence.
Top comments (0)