Cyber researchers sound alarm over a 15-year-old Linux kernel flaw – ‘GhostLock’ could let hackers seize unpatched machines in just five seconds

Cyber researchers sound alarm over a 15-year-old Linux kernel flaw – ‘GhostLock’ could let hackers seize unpatched machines in just five seconds

Cyber researchers sound alarm over a 15-year-old Linux kernel flaw – ‘GhostLock’ could let hackers seize unpatched machines in just five seconds

https://www.itpro.com/software/linux/cyber-researchers-sound-alarm-over-a-15-year-old-linux-kernel-flaw-ghostlock-could-let-hackers-seize-unpatched-machines-in-just-five-seconds

Publish Date: 2026-07-09 06:46:00

Source Domain: www.itpro.com

Researchers at Nebula Security have discovered a Linux kernel flaw dating back to 2011 that lets any logged-in user take full root control of an unpatched machine in just five seconds.

Dubbed GhostLock (CVE-2026-43499), it was introduced in Linux 2.6.39 and fixed in Linux 7.1.

The flaw allows an unprivileged local attacker to get a dangling kernel pointer to kernel stack memory with only regular threading syscalls, write a pointer to an arbitrary address, and hijack a function table to get root access.

GhostLock has been shipped by default in every mainstream distribution since 2011, and requires no special privileges or network access. Nebula, which uncovered the flaw, said its exploit is reportedly 97% reliable and can also escape containers.

Latest Videos From

This particular flaw is the second part of an attack chain dubbed IonStack, with the first step being CVE-2026-10702, a vulnerability in Firefox that allows code execution within the browser and escapes its sandbox.

The vulnerability is rated high (7.8) as the attacker would already need to have local access to the system.

How the GhostLock flaw works

Nebula researchers said the root cause is a function reused by a caller it was never written for: the helper function remove_waiter(). During certain futex operations, it incorrectly clears a pointer associated with the currently executing task, rather than the actual waiting task.

This leaves the kernel with a dangling pointer that points to a memory location that has already been freed and reused. This allowed the Nebula team to gain full control, tricking the kernel into running their own code as the root user.

Daniel Bechenea, security manager at Pentest Tools, said the flaw is of particular concern because kernel exploits have historically carried a “real operational…

Source