Tech News

GhostLock: 15-Year-Old Linux Kernel Flaw Grants Root on Most Distros

A flaw present in the Linux kernel since 2011, i.e. 15 years, allows any local user to take full control of a machine. Its name: GhostLock (CVE-2026-43499). What are the risks? How can you protect your Linux machine? Let’s take a look.

GhostLock, a use-after-free flaw in the Linux kernel

According to the report published by Nebula Security, GhostLock lives in Linux kernel locks, the mechanisms that make a program wait while another one is using a resource. The kernel offers a variant with priority inheritance, designed to prevent an urgent task from being blocked behind a secondary one. This vulnerability is located in the futex and rtmutex code.

Note: a futex (fast userspace mutex) is Linux’s standard lock, optimized so that the kernel is only involved when a program actually has to wait its turn. An rtmutex is its real-time variant: when an urgent thread is blocked by a lower-priority thread holding the lock, the kernel temporarily boosts the priority of that thread so it can release the lock as quickly as possible, then restores it once that is done.

The GhostLock flaw is a use-after-free, meaning that a memory area is used after the kernel has already freed it. How is this vulnerability triggered? When a task stops waiting on a lock, the kernel cleans up after it. But in a rare case (when the kernel detects a deadlock and has to abort the operation), that cleanup happens at the wrong time and erases the traces of the wrong task. The kernel then ends up with an outdated memory address pointing to a region that has already been freed and reassigned to something else. According to Nebula’s researchers, trusting this ghost address is what makes exploitation possible. That also explains the name: GhostLock.

This security flaw, rated 7.8 out of 10 on the CVSS scale, is likely to affect a huge number of Linux machines. And for good reason:

  • The vulnerable code has been present since Linux 2.6.39 (2011) and was only fixed in Linux 7.1, in April 2026.
  • The flaw is present in the default configuration of nearly all consumer distributions.
  • Local access to the machine is enough to exploit the flaw via threading calls from any local program.
  • The only kernel-side requirement is the CONFIG_FUTEX_PI=y option, with no capability or user namespace required.

"GhostLock (CVE-2026-43499) is a Linux kernel vulnerability discovered by VEGA and present in all major distributions since 2011.", Nebula’s report states. If you are wondering what VEGA is, here is the answer: it is Nebula’s AI-driven bug bounty tool.

A 97% reliable exploit on Linux

Nebula’s team turned GhostLock into a working exploit, which proved 97% reliable during the tests carried out by the researchers. With this exploit, they managed to obtain root privileges in about 5 seconds on a test machine, and the exploit also makes it possible to escape containers. A solid find that allowed Nebula to earn a $92,337 bounty through Google’s kernelCTF program.

Even if this flaw is not being actively exploited yet, that could change quickly: the exploit code (PoC) is available on GitHub. Anyone can download and use it.

Nebula’s report is titled "IonStack part II", so I wondered what part I referred to. In fact, the first part corresponds to another vulnerability tracked as CVE-2026-10702. It is a flaw discovered in Firefox’s JavaScript engine (Mozilla bulletin MFSA 2026-54): a malicious page can use it to execute code in the browser and break out of the sandbox. This vulnerability was fixed in Firefox 151.0.3 on June 2, 2026. In a full exploit chain, GhostLock would then take over to gain root privileges.

According to The Hacker News, Nebula has already demonstrated the full chain, starting from a simple click on a malicious link leading all the way to full control, by exploiting Firefox on Android. The writeup published by Nebula also announces a forthcoming article dedicated to exploiting GhostLock on Android.

How can you protect yourself against GhostLock?

The advice is simple: update the kernel, but make sure the installed version is indeed the latest one in your distribution’s Security channel. The first published fix (commit 3bfdc63936dd) introduced a new bug that could crash the machine, tracked as CVE-2026-53166. Its remediation was not yet fully stable at the beginning of July, which means some packages marked as patched are not really patched.

On Debian’s side, the GhostLock security flaw was fixed through the kernel update 6.12.95-1, but CVE-2026-53166 has not been fixed yet! That matches what I mentioned earlier. For now, the patch is therefore partial.

The bad news, as I understand it, is that the security patch is the only real way to protect yourself from this security flaw. It is not possible to disable any kernel module to protect against GhostLock. So you will need to keep an eye on security patches from the various Linux distributions.

If you have information for other distributions, feel free to comment on this article.

author avatar
Florian Burnel Co-founder of IT-Connect
Systems and network engineer, co-founder of IT-Connect and Microsoft MVP "Cloud and Datacenter Management". I'd like to share my experience and discoveries through my articles. I'm a generalist with a particular interest in Microsoft solutions and scripting. Enjoy your reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.