Linux Foundation and Google: 15-Year-Old GhostLock Linux Kernel Vulnerability Enables Root Access and Container Escape

Linux Foundation and Google: 15-Year-Old GhostLock Linux Kernel Vulnerability Enables Root Access and Container Escape

Critical 15-Year-Old Linux Kernel Vulnerability "GhostLock" Disclosed

Researchers at Nebula Security have uncovered GhostLock (CVE-2026-43499), a severe privilege escalation and container escape vulnerability in the Linux kernel, present since version 2.6.39 (released in 2011). The flaw, patched in April 2026, stems from a stack-based use-after-free (UAF) error in the kernel’s real-time mutex (rtmutex) subsystem, specifically in the remove_waiter() function during priority inheritance (PI) futex operations.

The vulnerability arises when the kernel incorrectly clears the pi_blocked_on field of the wrong task during FUTEX_CMP_REQUEUE_PI operations, leaving a dangling pointer to a freed stack-allocated rt_mutex_waiter structure. Exploitation requires a precise sequence of three threads and futex variables, creating a dependency cycle that triggers an -EDEADLK rollback path. This leads to stale memory references, which attackers can manipulate to write controlled data to kernel memory.

The exploit chain employs advanced techniques, including KASLR bypass via prefetch-timing attacks, predictable kernel memory placement using CPU Entry Area (CEA) regions, and hijacking kernel function pointers such as the IPv6 UDP protocol handler to gain arbitrary code execution. A final "DirtyMode" technique modifies sysctl permissions (e.g., /proc/sys/kernel/core_pattern) to execute binaries with root privileges. Demonstrated in Google’s kernelCTF, the exploit achieved a 97% reliability rate and earned a $92,000 reward.

GhostLock affects all Linux systems running kernels from 2.6.39 to 7.1, with no elevated privileges or namespaces required, making containerized environments particularly vulnerable. While mitigations like RANDOMIZE_KSTACK_OFFSET and STATIC_USERMODE_HELPER offer partial protection, the only complete fix is applying the kernel patch. The widespread impact on cloud infrastructure, containers, and shared hosting underscores the severity of this long-undetected flaw.

Source: https://gbhackers.com/15-year-old-ghostlock-linux-kernel-vulnerability/

Google cybersecurity rating report: https://www.rankiteo.com/company/google

Kernel Foundation - Master Linux Kernel & LDD cybersecurity rating report: https://www.rankiteo.com/company/linux-kernel-foundation

"id": "GOOLIN1783499291",
"linkid": "google, linux-kernel-foundation",
"type": "Vulnerability",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'customers_affected': 'All users of Linux kernels '
                                              '2.6.39 to 7.1',
                        'industry': 'Technology, Operating Systems',
                        'location': 'Global',
                        'name': 'Linux Kernel',
                        'type': 'Software'},
                       {'industry': 'Cloud Computing',
                        'location': 'Global',
                        'name': 'Cloud Infrastructure Providers',
                        'type': 'Service Provider'},
                       {'industry': 'DevOps, Cloud Computing',
                        'location': 'Global',
                        'name': 'Containerized Environments',
                        'type': 'Technology'},
                       {'industry': 'Web Hosting',
                        'location': 'Global',
                        'name': 'Shared Hosting Providers',
                        'type': 'Service Provider'}],
 'attack_vector': 'Local',
 'date_publicly_disclosed': '2026-04',
 'date_resolved': '2026-04',
 'description': 'Researchers at Nebula Security uncovered GhostLock '
                '(CVE-2026-43499), a severe privilege escalation and container '
                'escape vulnerability in the Linux kernel, present since '
                'version 2.6.39 (released in 2011). The flaw stems from a '
                'stack-based use-after-free (UAF) error in the kernel’s '
                'real-time mutex (rtmutex) subsystem, specifically in the '
                '`remove_waiter()` function during priority inheritance (PI) '
                'futex operations. The vulnerability allows attackers to write '
                'controlled data to kernel memory, bypass KASLR, and achieve '
                'arbitrary code execution with root privileges.',
 'impact': {'operational_impact': 'Potential arbitrary code execution with '
                                  'root privileges, container escapes',
            'systems_affected': 'All Linux systems running kernels from 2.6.39 '
                                'to 7.1'},
 'investigation_status': 'Patched',
 'lessons_learned': 'Long-undetected vulnerabilities in critical software '
                    'components can have widespread impact. Regular kernel '
                    'updates and proactive security research are essential for '
                    'mitigating such risks.',
 'post_incident_analysis': {'corrective_actions': 'Kernel patch to fix the UAF '
                                                  'vulnerability in the '
                                                  '`remove_waiter()` function',
                            'root_causes': 'Stack-based use-after-free (UAF) '
                                           'error in the kernel’s real-time '
                                           'mutex (rtmutex) subsystem, '
                                           'specifically in the '
                                           '`remove_waiter()` function during '
                                           'priority inheritance (PI) futex '
                                           'operations'},
 'recommendations': ['Apply the Linux kernel patch for CVE-2026-43499 '
                     'immediately',
                     'Enable mitigations like `RANDOMIZE_KSTACK_OFFSET` and '
                     '`STATIC_USERMODE_HELPER` where patching is not '
                     'immediately possible',
                     'Monitor for signs of exploitation in containerized and '
                     'shared hosting environments',
                     'Conduct security audits of kernel-level code in critical '
                     'systems'],
 'references': [{'source': 'Nebula Security'}, {'source': 'Google kernelCTF'}],
 'response': {'containment_measures': 'Kernel patch applied',
              'remediation_measures': 'Apply Linux kernel patch for '
                                      'CVE-2026-43499',
              'third_party_assistance': 'Nebula Security (researchers)'},
 'title': "Critical 15-Year-Old Linux Kernel Vulnerability 'GhostLock' "
          'Disclosed',
 'type': 'Privilege Escalation, Container Escape',
 'vulnerability_exploited': 'CVE-2026-43499 (GhostLock)'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.