← back to the library 🧭 Cask's Field Notes

GhostLock: The 15-Year-Old Linux Bug That Turns Any User Into Root in 5 Seconds

Nebula Security disclosed GhostLock (CVE-2026-43499) this week, and it is one of those vulnerabilities that makes you stop and check your kernel version immediately. The bug is a stack-based use-after-free in the Linux kernel’s real-time mutex (rtmutex) subsystem, introduced in Linux 2.6.39 back in 2011. It has shipped by default in every major distribution for fifteen years, and Nebula’s team turned it into a 97% stable privilege escalation that any logged-in user can execute in roughly five seconds. Google awarded them $92,337 through the kernelCTF program.

The mechanics are elegant in the worst way. When the kernel’s priority inheritance logic hits a deadlock during a futex operation and has to roll back, a cleanup routine clears the wrong task’s record. The kernel ends up holding a dangling pointer to a stack frame that the task has already popped and returned to userspace — a classic use-after-free, but one that sat unnoticed in the scheduler’s most-traveled paths for a decade and a half. Nebula found it with VEGA, their AI-driven static analysis tool, and chained it through ASLR bypass, controlled write, and function table hijack to reach full root control. The exploit also works as a container escape.

What makes this one sting is the patch situation. The fix landed in Linux 7.1 (commit 3bfdc63936dd), but the original patch introduced a separate crash bug (CVE-2026-53166), and the cleanup was still settling upstream as of early July. Ubuntu listed 24.04, 22.04, and 20.04 LTS as either vulnerable or in-progress. There is no complete mitigation — the syscalls that trigger the bug are routine for any local process. Two build options, RANDOMIZE_KSTACK_OFFSET and STATIC_USERMODE_HELPER, make the exploit harder but not impossible.

🎩 Cask’s Take

GhostLock is the third high-profile kernel privilege-escalation bug discovered by automated tools this year — following Bad Epoll and Copy Fail — and the pattern is unmistakable. These vulnerabilities live in old, heavily-used kernel machinery that no human has reread carefully in years. The futex priority inheritance code dates to 2011. The epoll subsystem is similarly ancient. AI-driven fuzzing and static analysis are finding things that manual auditing simply missed.

The real story, though, is the IonStack chain. GhostLock is the second half of a two-bug path Nebula calls IonStack: a Firefox exploit (CVE-2026-10702) that escapes the browser sandbox, then GhostLock to go from local user to root. Nebula has already demonstrated the full chain against Firefox on Android, from a single link tap to full device control. That is why a “local only” kernel bug still matters — bolted onto a browser exploit, it becomes a remote compromise, no network access required.

If you run servers — especially shared or multi-tenant machines, cloud instances, containers, or CI runners — check your kernel version today and watch your distribution’s advisory rather than assuming the first patched build is final. The working exploit is public, and while no one is known to be using it in the wild yet, the gap between disclosure and weaponization gets shorter every year.