15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros
15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros
https://thehackernews.com/2026/07/15-year-old-ghostlock-flaw-enables-root.html
Publish Date: 2026-07-08 02:16:00
Source Domain: thehackernews.com
Researchers at Nebula Security have disclosed GhostLock (CVE-2026-43499), a 15-year-old Linux kernel flaw that lets any logged-in user take full root control of a machine that has not been patched.
The vulnerable code has shipped by default in essentially every mainstream distribution since 2011. The flaw needs no special permission, no unusual settings, and no network access; ordinary threading calls from any local program are enough.
Nebula turned it into a working root exploit that is 97% reliable in its testing and also escapes containers, and says Google awarded the team $92,337 through its kernelCTF bug-bounty program.
No one is known to be exploiting it in the wild, but Nebula has published working exploit code, so anyone can now run it. Patching is the priority.
How the bug works
The kernel has a system for keeping an urgent task from getting stuck behind a trivial one. Part of it is a cleanup step that tidies up after a task once it stops waiting.
Normally, that works fine. But in one rare case, where a lock operation hits a dead end and has to back out, the cleanup runs at the wrong moment and wipes the wrong task’s record.
That mistake leaves the kernel holding a “note” that points at a scrap of memory it has already thrown away and reused. Trusting that stale pointer is the whole bug, the kind of slip known as a use-after-free. From there, Nebula’s team chained a few clever steps to turn that small mistake into full control, ending by tricking the kernel into running their own code as the all-powerful “root” user. On their test machine, it took about five seconds.

The flaw has been in Linux since 2011 and was fixed in April, with distributions now rolling out the patch (3bfdc63936dd). It affects nearly every Linux build and scores 7.8 out of 10 (high, not critical) because an attacker needs to already be logged in to the machine. Nebula found it with VEGA, its AI-driven bug-hunting tool.
What to do
Install your distribution’s…