A newly disclosed vulnerability in the Linux kernel, identified as CVE-2026-43499 and called “GhostLock,” poses a significant security threat by enabling privilege escalation. Researchers from VEGA have revealed this flaw, which has quietly impacted major Linux distributions for over 15 years.
Origins of GhostLock Vulnerability
The GhostLock vulnerability stems from a logic error in the kernel’s real-time mutex (rtmutex) subsystem, first introduced in version 2.6.39 back in 2011. This flaw went unnoticed until its patching in April 2026, affecting all Linux kernels up to version 7.1.
Nebula Security researchers have demonstrated an exploit with an impressive 97% success rate, earning them a $92,337 reward via Google’s kernelCTF program. This vulnerability allows local attackers, without elevated privileges, to manipulate kernel memory and gain root access.
Technical Details and Exploitation
The vulnerability arises due to an error in the remove_waiter() function, which incorrectly manages pointers related to task execution during futex operations. This oversight results in a dangling pointer, referencing freed kernel stack memory, which attackers can exploit through a race condition involving priority-inheritance futexes.
By coordinating multiple threads and futex variables, attackers can induce a deadlock, prompting the kernel to rollback and leave a stale pointer. This exploit allows attackers to reclaim and manipulate the freed memory, enabling them to alter kernel structures and perform arbitrary writes, albeit constrained, to kernel memory.
Implications and Mitigations
Researchers successfully exploited the inet6_protos table, redirecting function pointers to attacker-controlled memory and hijacking control flow with crafted network packets. The attack circumvents kernel address space layout randomization (KASLR) and leverages predictable memory regions to construct a return-oriented programming chain.
A subsequent attack phase, known as DirtyMode, modifies sysctl settings via a single kernel memory write, allowing arbitrary code execution as root. This poses significant risks in multi-user systems and containerized environments, facilitating potential container escapes.
To address this, Linux kernel maintainers have corrected the remove_waiter() function to reference the proper task structure. However, the initial patch introduced a null pointer exception, necessitating further updates. Users are urged to upgrade to patched kernel versions or the latest long-term support releases to mitigate the risk of exploitation.
Given the high reliability of this attack, swift patching is crucial to safeguard systems from potential breaches.
