Nebula Security has disclosed technical details and exploit code for a significant vulnerability in the Linux kernel, impacting major distributions since 2011. The flaw, identified as CVE-2026-43499 and named GhostLock, originated in Linux version 2.6.39 and persisted undiscovered for 15 years until a patch was implemented in April.
Understanding the GhostLock Vulnerability
GhostLock is categorized as a use-after-free vulnerability. It stems from a helper function within the Linux kernel designed to manage cleanup tasks, prioritizing urgent processes. Typically, this function would clear a task once completed. However, due to the defect, when a deadlock occurs and a rollback is initiated, the function erroneously clears and reuses memory that is still referenced elsewhere.
The flaw arises because the function incorrectly assumes the current task is the one to be cleared. When a requeue is requested, it inadvertently cleans up for a sleeping thread rather than the active one, leading to potential exploitation.
Exploitation and Impact
Nebula Security successfully exploited GhostLock to gain control over the freed memory, achieving local privilege escalation to root. This demonstration highlighted the vulnerability’s potential for container escape within Google’s kernelCTF program, leading to a substantial $92,337 bug bounty award.
The exposure of GhostLock adds to a growing list of recently disclosed Linux kernel vulnerabilities, including Januscape, Bad Epoll, DirtyClone, CIFSwitch, DirtyDecrypt (also known as DirtyCBC), Fragnesia, and Dirty Frag.
Ongoing Security Challenges
The discovery of GhostLock underscores the persistent challenges in maintaining Linux kernel security. As vulnerabilities continue to surface, prompt identification and patching remain crucial. Related security updates include Microsoft’s patch for the Defender ‘RoguePlanet’ vulnerability and the Chrome 150 update addressing 27 flaws. Additionally, CISA has urged immediate patching of exploited vulnerabilities in ColdFusion, Langflow, and Joomla.
The continued efforts of security researchers and organizations like Nebula Security play a vital role in identifying and mitigating such threats, ensuring the integrity and safety of widely used systems.
