[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fUNUlfXeZ3aZz7wDv-TWI_xl6l5Odc8cLd8Fz_DvNQWY":3},{"article":4,"iocs":47},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":31,"category":32,"article_tags":36},"789368de-dfd6-42b8-93f5-433ad09c5623","15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros","15-year-old-ghostlock-flaw-enables-root-and-container-escape-on-most-linux-distr-ff55f9","Researchers at Nebula Security have disclosed GhostLock (CVE-2026-43499), a 15-year-old Linux kernel flaw that lets any logged-in user take full root control of a machine that has not been patched. The vulnerable code has shipped by default in essentially every mainstream distribution since 2011. The flaw needs no special permission, no unusual settings, and no network","Nebula Security disclosed GhostLock (CVE-2026-43499), a critical Linux kernel vulnerability present since 2011 that allows any logged-in user to gain root access without special permissions or network access. The use-after-free flaw affects nearly all mainstream Linux distributions and container environments; Nebula developed a 97% reliable exploit and published proof-of-concept code after receiving a $92,337 Google kernelCTF bounty. Patching is urgent, though availability varies across distributions and earlier patches introduced secondary bugs requiring further updates.","GhostLock CVE-2026-43499, a 15-year-old Linux kernel use-after-free flaw, enables local privilege escalation to root on","15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros Swati KhandelwalJul 08, 2026Vulnerability \u002F Cloud Security Researchers at Nebula Security have disclosed GhostLock (CVE-2026-43499), a 15-year-old Linux kernel flaw that lets any logged-in user take full root control of a machine that has not been patched. The vulnerable code has shipped by default in essentially every mainstream distribution since 2011. The flaw needs no special permission, no unusual settings, and no network access; ordinary threading calls from any local program are enough. Nebula turned it into a working root exploit that is 97% reliable in its testing and also escapes containers, and says Google awarded the team $92,337 through its kernelCTF bug-bounty program. No one is known to be exploiting it in the wild, but Nebula has published working exploit code, so anyone can now run it. Patching is the priority. How the bug works The kernel has a system for keeping an urgent task from getting stuck behind a trivial one. Part of it is a cleanup step that tidies up after a task once it stops waiting. Normally, that works fine. But in one rare case, where a lock operation hits a dead end and has to back out, the cleanup runs at the wrong moment and wipes the wrong task's record. That mistake leaves the kernel holding a \"note\" that points at a scrap of memory it has already thrown away and reused. Trusting that stale pointer is the whole bug, the kind of slip known as a use-after-free. From there, Nebula's team chained a few clever steps to turn that small mistake into full control, ending by tricking the kernel into running their own code as the all-powerful \"root\" user. On their test machine, it took about five seconds. The flaw has been in Linux since 2011 and was fixed in April, with distributions now rolling out the patch (3bfdc63936dd). It affects nearly every Linux build and scores 7.8 out of 10 (high, not critical) because an attacker needs to already be logged in to the machine. Nebula found it with VEGA, its AI-driven bug-hunting tool. What to do Install your distribution's current kernel, not just the first patched build. The original fix introduced a separate crash bug (CVE-2026-53166), and the cleanup for that was still settling upstream in early July, so early builds may lack the final version. There is no complete workaround, since the operations that trigger it are routine for any local process. Availability is uneven so far. Ubuntu, for example, had patched its newest release and some cloud kernels, but as of early July still listed 24.04, 22.04, and 20.04 LTS as vulnerable or in progress. Check your distribution's advisory and confirm the fixed package version rather than assuming one is waiting. Two build options, RANDOMIZE_KSTACK_OFFSET and STATIC_USERMODE_HELPER, make this exploit harder, but they are mitigations, not fixes. Patch shared and multi-tenant machines first, cloud servers, containers, and CI runners, where an attacker is most likely to find the local foothold this bug needs. Not the only kernel-to-root bug this year GhostLock joins a run of 2026 Linux privilege-escalation bugs, several of which share a detail: an automated tool found them. VEGA found GhostLock; days earlier, researchers disclosed Bad Epoll (CVE-2026-46242), a close cousin that also turns an unprivileged user into root. It was proven through kernelCTF and, unusually for this class of bug, works on Android. Bad Epoll sits in the same stretch of code where Anthropic's Mythos model was credited with a related flaw. What they share is old, heavily used kernel machinery that few had reread in years, until automated tools started combing it. Futex priority inheritance dates to 2011. The class is not theoretical: another 2026 bug, Copy Fail (CVE-2026-31431), is already on CISA's list of vulnerabilities seen in real-world attacks. GhostLock is also the second half of a chain Nebula calls IonStack. The first half, CVE-2026-10702, is a Firefox flaw that runs code inside the browser and escapes its sandbox; GhostLock carries it the rest of the way to root. Nebula has already demonstrated the full chain, from a single tap on a malicious link to full control, against Firefox on Android. That is why a \"local only\" kernel bug still matters: on its own, it needs a foothold, but bolted onto a browser exploit, it becomes a remote compromise. Nebula says a full write-up of the Android exploit is coming next. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Android, browser security, Cloud security, Container Security, Kernel Security, linux, Patch Management, privilege escalation, Vulnerability ⚡ Top Stories This Week ThreatsDay: AI Compute Hijacking, Apple Email Flaw, BlueHammer Ransomware + 14 Stories Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs New Linux pedit COW Exploit Enables Root Access by Poisoning Cached Binaries OpenAI Previews GPT-5.6 Sol With Restricted Access and Stronger Cyber Safeguards FBI Warns Russian Intelligence Hackers Target Signal Backup Recovery Keys Public PoC Released for Critical libssh2 CVE-2026-55200 Client-Side SSH Flaw Microsoft Removes 119 Edge Extensions That Hid Malware in Images and Fonts ⚡ Weekly Recap: Linux Kernel Flaws, AI Malware Tricks, Turla Backdoor, Infostealers and More Mustang Panda Uses Zoho WorkDrive as Command Channel in Indian Government Attacks WhatsApp is Finally Getting Usernames to Help Keep Phone Numbers Private Oracle E-Business Suite Flaw CVE-2026-46817 Actively Exploited in the Wild New BioShocking Attack Tricks AI Browsers Into Leaking User Credentials AirDrop and Quick Share Flaws Let Nearby Attackers Trigger Crashes and Bypass Checks 282 iOS AI Apps Leak API Keys and Open AI Proxy Access in Network Traffic Study GuardFall Exposes Open-Source AI Coding Agents to Decades-Old Shell Injection Risks Microsoft Warns Poisoned MCP Tool Descriptions Can Make AI Agents Leak Data RustDuck Botnet Rebuilds in Rust to Hijack Routers and Servers for DDoS ⭐ Featured Resources What 200+ Security Teams Reveal About Using IP Intelligence in 2026 Get Hands-On SANS Training for Today’s Cyber Defense and Offensive Security Challenges See What’s Really Exposed Across Your IT, OT, IoT, Cloud, and Mobile Assets Get Gartner’s Guide to AI Agent Supervision and Runtime Controls","https:\u002F\u002Fthehackernews.com\u002F2026\u002F07\u002F15-year-old-ghostlock-flaw-enables-root.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEid8ZRwAprNDN6zAPixm22IlrKWp03FJdQF0TxCV5v_jxckPLkOHRSzHQERbDNw_FZdnyluuhyphenhyphenGZ7pSX51cjBl-S8PrqhgARlAe8VfWPabk7t4hAy37ZSrRu6oXfRYlXP7s1x1OBYW9WHmgWobGS0wiC0mrO42xHWHrSI3ICLM5OFzsOA3tVCcs4_N1yPU\u002Fs1600\u002Flinux-root.gif","2026-07-08T06:16:44+00:00","2026-07-08T08:00:22.371378+00:00",9,[18,21,23,26,29],{"name":19,"type":20},"Nebula Security","vendor",{"name":22,"type":20},"Google",{"name":24,"type":25},"Linux kernel","technology",{"name":27,"type":28},"VEGA","product",{"name":30,"type":25},"Futex priority inheritance","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":31,"icon":33,"name":34,"slug":35},null,"Vulnerabilities","vulnerabilities",[37,42],{"category":38},{"id":39,"icon":33,"name":40,"slug":41},"574f766a-fb3f-487c-8d2c-0720ae75471b","Zero-day","zero-day",{"category":43},{"id":44,"icon":33,"name":45,"slug":46},"c70f3a41-2f0c-4608-870d-b8cbcd8be076","Cloud Security","cloud-security",[48,52,55,58,61],{"type":49,"value":50,"context":51},"cve","CVE-2026-43499","GhostLock — Linux kernel use-after-free privilege escalation flaw affecting 15 years of distros",{"type":49,"value":53,"context":54},"CVE-2026-53166","Secondary crash bug introduced by initial GhostLock fix (CVE-2026-43499)",{"type":49,"value":56,"context":57},"CVE-2026-46242","Bad Epoll — related kernel privilege escalation flaw discovered in same timeframe",{"type":49,"value":59,"context":60},"CVE-2026-31431","Copy Fail — Linux kernel vulnerability already observed in real-world attacks (CISA list)",{"type":49,"value":62,"context":63},"CVE-2026-10702","First half of IonStack chain (Firefox-related); part of GhostLock exploitation chain"]